forked from MISP/misp-galaxy
-
Notifications
You must be signed in to change notification settings - Fork 1
/
mitre-enterprise-attack-attack-pattern.json
5660 lines (5660 loc) · 567 KB
/
mitre-enterprise-attack-attack-pattern.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"authors": [
"MITRE"
],
"category": "attack-pattern",
"description": "ATT&CK tactic",
"name": "Enterprise Attack - Attack Pattern",
"source": "https://github.com/mitre/cti",
"type": "mitre-enterprise-attack-attack-pattern",
"uuid": "fb2242d8-1707-11e8-ab20-6fa7448c3640",
"values": [
{
"description": "Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis\n\nRequires Network: Yes",
"meta": {
"external_id": "T1048",
"kill_chain": [
"mitre-attack:enterprise-attack:exfiltration"
],
"mitre_data_sources": [
"User interface",
"Process monitoring",
"Process use of network",
"Packet capture",
"Netflow/Enclave netflow",
"Network protocol analysis"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1048",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
]
},
"uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"value": "Exfiltration Over Alternative Protocol - T1048"
},
{
"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring\n\nRequires Network: Yes",
"meta": {
"external_id": "T1071",
"kill_chain": [
"mitre-attack:enterprise-attack:command-and-control"
],
"mitre_data_sources": [
"Packet capture",
"Netflow/Enclave netflow",
"Process use of network",
"Malware reverse engineering",
"Process monitoring"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1071",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
]
},
"uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"value": "Standard Application Layer Protocol - T1071"
},
{
"description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.\n\nDetection: Monitor file access on removable media. Detect processes that execute when removable media is mounted.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Data loss prevention\n\nRequires Network: No",
"meta": {
"external_id": "T1092",
"kill_chain": [
"mitre-attack:enterprise-attack:command-and-control"
],
"mitre_data_sources": [
"File monitoring",
"Data loss prevention"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1092"
]
},
"uuid": "64196062-5210-42c3-9a02-563a0d1797ef",
"value": "Communication Through Removable Media - T1092"
},
{
"description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nCommon information repositories:\n\n===Microsoft SharePoint===\nFound in many enterprise networks and often used to store and share significant amounts of documentation.\n\n===Atlassian Confluence===\nOften found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation.\n\nDetection: As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nThe user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) The user user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Application Logs, Authentication logs, Data loss prevention, Third-party application logs\n\nPermissions Required: User\n\nContributors: Milos Stojadinovic",
"meta": {
"external_id": "T1213",
"kill_chain": [
"mitre-attack:enterprise-attack:collection"
],
"mitre_data_sources": [
"Application Logs",
"Authentication logs",
"Data loss prevention",
"Third-party application logs"
],
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1213",
"https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2",
"https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html"
]
},
"uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416",
"value": "Data from Information Repositories - T1213"
},
{
"description": "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. (Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.exe is located in <code>C:\\Windows\\System32\\</code> along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (<code>HKCU\\Control Panel\\Desktop\\</code>) and could be manipulated to achieve persistence:\n\n*<code>SCRNSAVE.exe</code> - set to malicious PE path\n*<code>ScreenSaveActive</code> - set to '1' to enable the screensaver\n*<code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock\n*<code>ScreenSaverTimeout</code> - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)\n\nDetection: Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\n\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.\n\nPlatforms: Windows\n\nData Sources: Process Monitoring, Process command-line parameters, Windows Registry, File monitoring\n\nPermissions Required: User\n\nContributors: Bartosz Jerzman",
"meta": {
"external_id": "T1180",
"kill_chain": [
"mitre-attack:enterprise-attack:persistence"
],
"mitre_data_sources": [
"Process Monitoring",
"Process command-line parameters",
"Windows Registry",
"File monitoring"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1180",
"https://en.wikipedia.org/wiki/Screensaver",
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf"
]
},
"uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae",
"value": "Screensaver - T1180"
},
{
"description": "Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. An adversary may attempt to access detailed information about the password policy used within an enterprise network. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems. (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)\n\n===Windows===\n* <code>net accounts</code>\n* <code>net accounts /domain</code>\n\n===Linux===\n* <code>chage -l <username></code>\n* <code>cat /etc/pam.d/common-password</code>\n\n===macOS===\n* <code>pwpolicy getaccountpolicies</code>\n\nDetection: Monitor processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Process command-line parameters, Process Monitoring\n\nPermissions Required: User\n\nContributors: Sudhanshu Chauhan, @Sudhanshu_C",
"meta": {
"external_id": "T1201",
"kill_chain": [
"mitre-attack:enterprise-attack:discovery"
],
"mitre_data_sources": [
"Process command-line parameters",
"Process Monitoring"
],
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1201",
"https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu",
"https://www.jamf.com/jamf-nation/discussions/18574/user-password-policies-on-non-ad-machines"
]
},
"uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"value": "Password Policy Discovery - T1201"
},
{
"description": "Adversaries may communicate using a custom command and control protocol instead of using existing Standard Application Layer Protocol to encapsulate commands. Implementations could mimic well-known protocols.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring\n\nRequires Network: Yes",
"meta": {
"external_id": "T1094",
"kill_chain": [
"mitre-attack:enterprise-attack:command-and-control"
],
"mitre_data_sources": [
"Packet capture",
"Netflow/Enclave netflow",
"Process use of network",
"Process monitoring"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1094",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
]
},
"uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"value": "Custom Command and Control Protocol - T1094"
},
{
"description": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.\n\n===Services===\n\nManipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.\n\n===Executable Installers===\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)\n\nDetection: Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.\n\nPlatforms: Windows\n\nData Sources: File monitoring, Process command-line parameters, Services\n\nEffective Permissions: User, Administrator, SYSTEM\n\nPermissions Required: User, Administrator\n\nContributors: Stefan Kanthak, Travis Smith, Tripwire",
"meta": {
"external_id": "T1044",
"kill_chain": [
"mitre-attack:enterprise-attack:persistence",
"mitre-attack:enterprise-attack:privilege-escalation"
],
"mitre_data_sources": [
"File monitoring",
"Process command-line parameters",
"Services"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1044",
"https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/",
"http://seclists.org/fulldisclosure/2015/Dec/34"
]
},
"uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a",
"value": "File System Permissions Weakness - T1044"
},
{
"description": "Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to Process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Engame Process Injection July 2017)\n\nDetection: Monitoring API calls may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls that unmap process memory, such as ZwUnmapViewOfSection or NtUnmapViewOfSection, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. (Citation: Engame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.\n\nPlatforms: Windows\n\nData Sources: Process monitoring, API monitoring\n\nDefense Bypassed: Process whitelisting, Anti-virus, Whitelisting by file name or path, Signature-based detection\n\nPermissions Required: User",
"meta": {
"external_id": "T1093",
"kill_chain": [
"mitre-attack:enterprise-attack:defense-evasion"
],
"mitre_data_sources": [
"Process monitoring",
"API monitoring"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1093",
"http://www.autosectools.com/process-hollowing.pdf",
"https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
]
},
"uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"value": "Process Hollowing - T1093"
},
{
"description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macos being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\n\nDetection: Scripting may be common on admin, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\n\nAnalyze Office file attachments for potentially malicious macros. Execution of macros may create suspicious process trees depending on what the macro is designed to do. Office processes, such as word.exe, spawning instances of cmd.exe, script application like wscript.exe or powershell.exe, or other suspicious processes may indicate malicious activity. (Citation: Uperesia Malicious Office Documents)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process monitoring, File monitoring, Process command-line parameters\n\nDefense Bypassed: Process whitelisting, Data Execution Prevention, Exploit Prevention\n\nPermissions Required: User",
"meta": {
"external_id": "T1064",
"kill_chain": [
"mitre-attack:enterprise-attack:defense-evasion",
"mitre-attack:enterprise-attack:execution"
],
"mitre_data_sources": [
"Process monitoring",
"File monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1064",
"http://www.metasploit.com",
"https://www.veil-framework.com/framework/",
"https://github.com/mattifestation/PowerSploit",
"https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/",
"https://www.uperesia.com/analyzing-malicious-office-documents"
]
},
"uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"value": "Scripting - T1064"
},
{
"description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program.\nAppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. \n\nAdversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command lie via <code>osascript /path/to/script</code> or <code>osascript -e \"script here\"</code>.\n\nDetection: Monitor for execution of AppleScript through osascript that may be related to other suspicious behavior occurring on the system.\n\nPlatforms: macOS\n\nData Sources: API monitoring, System calls, Process Monitoring, Process command-line parameters\n\nPermissions Required: User\n\nRemote Support: Yes",
"meta": {
"external_id": "T1155",
"kill_chain": [
"mitre-attack:enterprise-attack:execution",
"mitre-attack:enterprise-attack:lateral-movement"
],
"mitre_data_sources": [
"API monitoring",
"System calls",
"Process Monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1155",
"https://securingtomorrow.mcafee.com/mcafee-labs/macro-malware-targets-macs/"
]
},
"uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b",
"value": "AppleScript - T1155"
},
{
"description": "Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration.\n\nAdversaries may search connected removable media on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. Some adversaries may also use Automated Collection on removable media.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters\n\nSystem Requirements: Privileges to access removable media drive and files",
"meta": {
"external_id": "T1025",
"kill_chain": [
"mitre-attack:enterprise-attack:collection"
],
"mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1025"
]
},
"uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"value": "Data from Removable Media - T1025"
},
{
"description": "Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries (Citation: Janicab). The certificates used during an operation may be created, forged, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates)\n\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)\n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system.\n\nDetection: Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.\n\nPlatforms: Windows, macOS\n\nData Sources: Binary file metadata\n\nDefense Bypassed: Windows User Account Control",
"meta": {
"external_id": "T1116",
"kill_chain": [
"mitre-attack:enterprise-attack:defense-evasion"
],
"mitre_data_sources": [
"Binary file metadata"
],
"mitre_platforms": [
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1116",
"https://en.wikipedia.org/wiki/Code%20signing",
"http://www.thesafemac.com/new-signed-malware-called-janicab/",
"https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/",
"http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates"
]
},
"uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"value": "Code Signing - T1116"
},
{
"description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions: (Citation: Engame Process Injection July 2017)\n*CreateProcess\n*CreateProcessAsUser\n*CreateProcessWithLoginW\n*CreateProcessWithTokenW\n*WinExec\nSimilar to Process Injection, this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n\nDetection: Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Engame Process Injection July 2017) \n\nTools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls Oct 2007)\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.\n\nPlatforms: Windows\n\nData Sources: Loaded DLLs, Process Monitoring, Windows Registry\n\nEffective Permissions: Administrator, SYSTEM\n\nPermissions Required: Administrator, SYSTEM",
"meta": {
"external_id": "T1182",
"kill_chain": [
"mitre-attack:enterprise-attack:persistence",
"mitre-attack:enterprise-attack:privilege-escalation"
],
"mitre_data_sources": [
"Loaded DLLs",
"Process Monitoring",
"Windows Registry"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1182",
"https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"https://technet.microsoft.com/en-us/sysinternals/bb963902",
"https://forum.sysinternals.com/appcertdlls%20topic12546.html"
]
},
"uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025",
"value": "AppCert DLLs - T1182"
},
{
"description": "Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware. (Citation: Wikipedia Rootkit)\n\nAdversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)\n\nDetection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: BIOS, MBR, System calls\n\nDefense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems, Process whitelisting, Signature-based detection, System access controls, Whitelisting by file name or path\n\nPermissions Required: Administrator, SYSTEM, root",
"meta": {
"external_id": "T1014",
"kill_chain": [
"mitre-attack:enterprise-attack:defense-evasion"
],
"mitre_data_sources": [
"BIOS",
"MBR",
"System calls"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1014",
"https://en.wikipedia.org/wiki/Rootkit",
"https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf",
"https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/",
"http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf"
]
},
"uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"value": "Rootkit - T1014"
},
{
"description": "MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them (Citation: Adding Login Items). Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). These login items are stored in the user's <code>~/Library/Preferences/</code> directory in a plist file called <code>com.apple.loginitems.plist</code> (Citation: Methods of Mac Malware Persistence). Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware).\n\nDetection: All the login items are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area should be monitored and whitelisted for known good applications. Monitor process execution resulting from login actions for unusual or unknown applications.\n\nPlatforms: macOS\n\nPermissions Required: User",
"meta": {
"external_id": "T1162",
"kill_chain": [
"mitre-attack:enterprise-attack:persistence"
],
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1162",
"https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html",
"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf",
"https://www.rsaconference.com/writable/presentations/file%20upload/ht-r03-malware-persistence-on-os-x-yosemite%20final.pdf",
"https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/"
]
},
"uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9",
"value": "Login Item - T1162"
},
{
"description": "Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).\n\nAdversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.\n\nDetection: Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: Administrator, SYSTEM, User\n\nRemote Support: No",
"meta": {
"external_id": "T1059",
"kill_chain": [
"mitre-attack:enterprise-attack:execution"
],
"mitre_data_sources": [
"Process command-line parameters",
"Process monitoring"
],
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1059",
"https://en.wikipedia.org/wiki/Command-line%20interface"
]
},
"uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"value": "Command-Line Interface - T1059"
},
{
"description": "Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.\n\nDetection: Detection for command and control applies. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: User interface, Process monitoring\n\nRequires Network: Yes",
"meta": {
"external_id": "T1041",
"kill_chain": [
"mitre-attack:enterprise-attack:exfiltration"
],
"mitre_data_sources": [
"User interface",
"Process monitoring"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1041",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
]
},
"uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"value": "Exfiltration Over Command and Control Channel - T1041"
},
{
"description": "An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.\n\nDetection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Anti-virus, Process command-line parameters, Process monitoring\n\nPermissions Required: User",
"meta": {
"external_id": "T1204",
"kill_chain": [
"mitre-attack:enterprise-attack:execution"
],
"mitre_data_sources": [
"Anti-virus",
"Process command-line parameters",
"Process monitoring"
],
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1204"
]
},
"uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"value": "User Execution - T1204"
},
{
"description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\n\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\n\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.\n\nDetection: Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Netflow/Enclave netflow, Network device logs, Network protocol analysis, Packet capture, Process use of network\n\nRequires Network: Yes",
"meta": {
"external_id": "T1104",
"kill_chain": [
"mitre-attack:enterprise-attack:command-and-control"
],
"mitre_data_sources": [
"Netflow/Enclave netflow",
"Network device logs",
"Network protocol analysis",
"Packet capture",
"Process use of network"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1104"
]
},
"uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
"value": "Multi-Stage Channels - T1104"
},
{
"description": "In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password. (Citation: OS X Keychain)\n\nIf an adversary can obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc. (Citation: OS X Keychain) (Citation: OSX Keydnap malware)\n\nPlatforms: macOS\n\nData Sources: Process Monitoring\n\nPermissions Required: root",
"meta": {
"external_id": "T1167",
"kill_chain": [
"mitre-attack:enterprise-attack:credential-access"
],
"mitre_data_sources": [
"Process Monitoring"
],
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1167",
"http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain",
"http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way",
"https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
]
},
"uuid": "2715c335-1bf2-4efe-9f18-0691317ff83b",
"value": "Securityd Memory - T1167"
},
{
"description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.\n\nDetection: Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: File monitoring, Packet capture, Mail server, Network intrusion detection system, Detonation chamber, Email gateway",
"meta": {
"external_id": "T1193",
"kill_chain": [
"mitre-attack:enterprise-attack:initial-access"
],
"mitre_data_sources": [
"File monitoring",
"Packet capture",
"Mail server",
"Network intrusion detection system",
"Detonation chamber",
"Email gateway"
],
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1193"
]
},
"uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38",
"value": "Spearphishing Attachment - T1193"
},
{
"description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow backward compatibility of programs as Windows updates and changes its code. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Engame Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses Hooking to redirect the code as necessary in order to communicate with the OS. A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* <code>%WINDIR%\\AppPatch\\sysmain.sdb</code>\n* <code>hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb</code>\n\nCustom databases are stored in:\n\n* <code>%WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom</code>\n* <code>hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom</code>\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to Hooking, utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.\n\nDetection: There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):\n\n* Shim-Process-Scanner - checks memory of every running process for any Shim flags\n* Shim-Detector-Lite - detects installation of custom shim databases\n* Shim-Guard - monitors registry for any shim installations\n* ShimScanner - forensic tool to find active shims in memory\n* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)\n\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.\n\nPlatforms: Windows\n\nData Sources: Loaded DLLs, System calls, Windows Registry, Process Monitoring, Process command-line parameters\n\nPermissions Required: Administrator",
"meta": {
"external_id": "T1138",
"kill_chain": [
"mitre-attack:enterprise-attack:persistence",
"mitre-attack:enterprise-attack:privilege-escalation"
],
"mitre_data_sources": [
"Loaded DLLs",
"System calls",
"Windows Registry",
"Process Monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1138",
"https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf",
"https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
]
},
"uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566",
"value": "Application Shimming - T1138"
},
{
"description": "Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, (Citation: Adventures of a Keystroke) but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. (Citation: Wrightson 2012)\n\nKeylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.\n\nAdversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service. (Citation: Volexity Virtual Private Keylogging)\n\nDetection: Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include SetWindowsHook, GetKeyState, and GetAsynceyState. (Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes and detect driver installs, as well as looking for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.\n\nMonitor the Registry for the addition of a Custom Credential Provider. (Citation: Wrightson 2012) Detection of compromised Valid Accounts in use by adversaries may help to catch the result of user input interception if new techniques are used.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Windows Registry, Kernel drivers, Process monitoring, API monitoring\n\nPermissions Required: Administrator, SYSTEM\n\nContributors: John Lambert, Microsoft Threat Intelligence Center",
"meta": {
"external_id": "T1056",
"kill_chain": [
"mitre-attack:enterprise-attack:collection",
"mitre-attack:enterprise-attack:credential-access"
],
"mitre_data_sources": [
"Windows Registry",
"Kernel drivers",
"Process monitoring",
"API monitoring"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1056",
"http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/",
"https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/"
]
},
"uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"value": "Input Capture - T1056"
},
{
"description": "Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\n\nAdversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: SubTee GitHub All The Things Application Whitelisting Bypass)\n\nDetection: Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.\n\nPlatforms: Windows\n\nData Sources: Process monitoring, Process command-line parameters\n\nDefense Bypassed: Process whitelisting\n\nPermissions Required: User, Administrator\n\nRemote Support: No\n\nContributors: Casey Smith",
"meta": {
"external_id": "T1121",
"kill_chain": [
"mitre-attack:enterprise-attack:defense-evasion",
"mitre-attack:enterprise-attack:execution"
],
"mitre_data_sources": [
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1121",
"https://msdn.microsoft.com/en-us/library/04za0hca.aspx",
"https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx"
]
},
"uuid": "215190a9-9f02-4e83-bb5f-e0589965a302",
"value": "Regsvcs/Regasm - T1121"
},
{
"description": "There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions.\n\n===MSBuild===\n\nMSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations. (Citation: MSDN MSBuild) \n\nAdversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file. (Citation: MSDN MSBuild) Inline Tasks MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution. (Citation: SubTee GitHub All The Things Application Whitelisting Bypass)\n\n===DNX===\n\nThe .NET Execution Environment (DNX), dnx.exe, is a software development kit packaged with Visual Studio Enterprise. It was retired in favor of .NET Core CLI in 2016. (Citation: Microsoft Migrating from DNX) DNX is not present on standard builds of Windows and may only be present on developer workstations using older versions of .NET Core and ASP.NET Core 1.0. The dnx.exe executable is signed by Microsoft. \n\nAn adversary can use dnx.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for DNX. (Citation: engima0x3 DNX Bypass)\n\n===RCSI===\n\nThe rcsi.exe utility is a non-interactive command-line interface for C# that is similar to csi.exe. It was provided within an early version of the Roslyn .NET Compiler Platform but has since been deprecated for an integrated solution. (Citation: Microsoft Roslyn CPT RCSI) The rcsi.exe binary is signed by Microsoft. (Citation: engima0x3 RCSI Bypass)\n\nC# .csx script files can be written and executed with rcsi.exe at the command-line. An adversary can use rcsi.exe to proxy execution of arbitrary code to bypass application whitelisting policies that do not account for execution of rcsi.exe. (Citation: engima0x3 RCSI Bypass)\n\n===WinDbg/CDB===\n\nWinDbg is a Microsoft Windows kernel and user-mode debugging utility. The Microsoft Console Debugger (CDB) cdb.exe is also user-mode debugger. Both utilities are included in Windows software development kits and can be used as standalone tools. (Citation: Microsoft Debugging Tools for Windows) They are commonly used in software development and reverse engineering and may not be found on typical Windows systems. Both WinDbg.exe and cdb.exe binaries are signed by Microsoft.\n\nAn adversary can use WinDbg.exe and cdb.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for execution of those utilities. (Citation: Exploit Monday WinDbg)\n\nIt is likely possible to use other debuggers for similar purposes, such as the kernel-mode debugger kd.exe, which is also signed by Microsoft.\n\n===Tracker===\n\nThe file tracker utility, tracker.exe, is included with the .NET framework as part of MSBuild. It is used for logging calls to the Windows file system. (Citation: Microsoft Docs File Tracking)\n\nAn adversary can use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. (Citation: Twitter SubTee Tracker.exe)\n\nDetection: The presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.\n\nUse process monitoring to monitor the execution and arguments of MSBuild.exe, dnx.exe, rcsi.exe, WinDbg.exe, cdb.exe, and tracker.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.\n\nPlatforms: Windows\n\nData Sources: Process monitoring\n\nDefense Bypassed: Application whitelisting\n\nPermissions Required: User\n\nSystem Requirements: MSBuild: .NET Framework version 4 or higher\nDNX: .NET 4.5.2, Powershell 4.0\nRCSI: .NET 4.5 or later, Visual Studio 2012\n\nRemote Support: No\n\nContributors: Casey Smith, Matthew Demaske, Adaptforward",
"meta": {
"external_id": "T1127",
"kill_chain": [
"mitre-attack:enterprise-attack:defense-evasion",
"mitre-attack:enterprise-attack:execution"
],
"mitre_data_sources": [
"Process monitoring"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1127",
"http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html",
"https://msdn.microsoft.com/library/dd393574.aspx",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/index",
"https://docs.microsoft.com/visualstudio/msbuild/file-tracking",
"https://docs.microsoft.com/en-us/dotnet/core/migration/from-dnx",
"https://blogs.msdn.microsoft.com/visualstudio/2011/10/19/introducing-the-microsoft-roslyn-ctp/",
"https://twitter.com/subTee/status/793151392185589760",
"https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/",
"https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/"
]
},
"uuid": "ff25900d-76d5-449b-a351-8824e62fc81b",
"value": "Trusted Developer Utilities - T1127"
},
{
"description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User",
"meta": {
"external_id": "T1016",
"kill_chain": [
"mitre-attack:enterprise-attack:discovery"
],
"mitre_data_sources": [
"Process command-line parameters",
"Process monitoring"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1016"
]
},
"uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"value": "System Network Configuration Discovery - T1016"
},
{
"description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.\n\nDetection: Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the <code>svchost.exe</code> in Windows 10 and the Windows Task Scheduler <code>taskeng.exe</code> for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in <code>%systemroot%\\System32\\Tasks</code> for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)\n\n*Event ID 106 - Scheduled task registered\n*Event ID 140 - Scheduled task updated\n*Event ID 141 - Scheduled task removed\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: File monitoring, Process command-line parameters, Process monitoring, Windows event logs\n\nEffective Permissions: Administrator, SYSTEM, User\n\nPermissions Required: Administrator, SYSTEM, User\n\nRemote Support: Yes\n\nContributors: Travis Smith, Tripwire, Leo Loobeek, @leoloobeek, Alain Homewood, Insomnia Security",
"meta": {
"external_id": "T1053",
"kill_chain": [
"mitre-attack:enterprise-attack:execution",
"mitre-attack:enterprise-attack:persistence",
"mitre-attack:enterprise-attack:privilege-escalation"
],
"mitre_data_sources": [
"File monitoring",
"Process command-line parameters",
"Process monitoring",
"Windows event logs"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1053",
"https://technet.microsoft.com/en-us/sysinternals/bb963902",
"https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen",
"https://technet.microsoft.com/library/dd315590.aspx",
"https://technet.microsoft.com/en-us/library/cc785125.aspx",
"https://twitter.com/leoloobeek/status/939248813465853953"
]
},
"uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"value": "Scheduled Task - T1053"
},
{
"description": "The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format <code>trap 'command list' signals</code> where \"command list\" will be executed when \"signals\" are received.\n\nDetection: Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.\n\nPlatforms: Linux, macOS\n\nData Sources: File monitoring, Process Monitoring, Process command-line parameters\n\nPermissions Required: User, Administrator\n\nRemote Support: No",
"meta": {
"external_id": "T1154",
"kill_chain": [
"mitre-attack:enterprise-attack:execution",
"mitre-attack:enterprise-attack:persistence"
],
"mitre_data_sources": [
"File monitoring",
"Process Monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1154"
]
},
"uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6",
"value": "Trap - T1154"
},
{
"description": "Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)\n\nDetection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of \"wmic\" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)\n\nPlatforms: Windows\n\nData Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring\n\nPermissions Required: User, Administrator\n\nSystem Requirements: WMI service, winmgmt, running.\nHost/network firewalls allowing SMB and WMI ports from source to destination.\nSMB authentication.\n\nRemote Support: Yes",
"meta": {
"external_id": "T1047",
"kill_chain": [
"mitre-attack:enterprise-attack:execution"
],
"mitre_data_sources": [
"Authentication logs",
"Netflow/Enclave netflow",
"Process command-line parameters",
"Process monitoring"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1047",
"https://en.wikipedia.org/wiki/Server%20Message%20Block",
"https://technet.microsoft.com/en-us/library/cc787851.aspx",
"https://msdn.microsoft.com/en-us/library/aa394582.aspx",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf"
]
},
"uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"value": "Windows Management Instrumentation - T1047"
},
{
"description": "Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternative Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\n\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)\n\nDetection: Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA) Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions, used to interact with EA, and consider regularly scanning for the presence of modified information. (Citation: SpectorOps Host-Based Jul 2017)\n\nThe Streams tool of Sysinternals can be used to uncover files with ADSs. The <code>dir /r</code> command can also be used to display ADSs. (Citation: Symantec ADS May 2009) Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a <code>-stream</code> parameter to interact with ADSs. (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\n\nMonitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: <code>file.ext:ads[.ext]</code>) is commonly associated with ADSs. (Citation: Microsoft ADS Mar 2014)\n\nPlatforms: Windows\n\nData Sources: File monitoring, Kernel drivers, API monitoring\n\nDefense Bypassed: Signature-based detection, Anti-virus, Host forensic analysis\n\nSystem Requirements: NTFS partitioned hard drive\n\nContributors: Red Canary",
"meta": {
"external_id": "T1096",
"kill_chain": [
"mitre-attack:enterprise-attack:defense-evasion"
],
"mitre_data_sources": [
"File monitoring",
"Kernel drivers",
"API monitoring"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1096",
"http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html",
"http://msdn.microsoft.com/en-us/library/aa364404",
"https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea",
"https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/",
"https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/",
"https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/",
"https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore"
]
},
"uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
"value": "NTFS File Attributes - T1096"
},
{
"description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n\nRemote access tools may be established and used post-compromise as alternate communications channel for Redundant Access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)\n\nDetection: Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.\n\nDomain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Network intrusion detection system, Network protocol analysis, Process use of network, Process Monitoring\n\nPermissions Required: User\n\nRequires Network: Yes\n\nContributors: Matt Kelly, @breakersall",
"meta": {
"external_id": "T1219",
"kill_chain": [
"mitre-attack:enterprise-attack:command-and-control"
],
"mitre_data_sources": [
"Network intrusion detection system",
"Network protocol analysis",
"Process use of network",
"Process Monitoring"
],
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1219",
"https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf",
"https://blog.crysys.hu/2013/03/teamspy/"
]
},
"uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
"value": "Remote Access Tools - T1219"
},
{
"description": "Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)\n\nDetection: Monitoring when the user's <code>.bash_history</code> is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like <code>cat ~/.bash_history</code>.\n\nPlatforms: Linux, macOS\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters\n\nPermissions Required: User",
"meta": {
"external_id": "T1139",
"kill_chain": [
"mitre-attack:enterprise-attack:credential-access"
],
"mitre_data_sources": [
"File monitoring",
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1139",
"http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way"
]
},
"uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8",
"value": "Bash History - T1139"
},
{
"description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.\n\n===Windows===\n\nAn example command that would obtain details on processes is \"tasklist\" using the Tasklist utility.\n\n===Mac and Linux===\n\nIn Mac and Linux, this is accomplished with the <code>ps</code> command.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User, Administrator, SYSTEM\n\nSystem Requirements: Administrator, SYSTEM may provide better process ownership details",
"meta": {
"external_id": "T1057",
"kill_chain": [
"mitre-attack:enterprise-attack:discovery"
],
"mitre_data_sources": [
"Process command-line parameters",
"Process monitoring"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1057"
]
},
"uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"value": "Process Discovery - T1057"
},
{
"description": "The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.\n\nDetection: System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.\n\nLikewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)\n\nPlatforms: Windows\n\nData Sources: API monitoring, BIOS, EFI\n\nPermissions Required: Administrator, SYSTEM\n\nContributors: Ryan Becwar, McAfee",
"meta": {
"external_id": "T1019",
"kill_chain": [
"mitre-attack:enterprise-attack:persistence"
],
"mitre_data_sources": [
"API monitoring",
"BIOS",
"EFI"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1019",
"https://en.wikipedia.org/wiki/BIOS",
"https://en.wikipedia.org/wiki/Unified%20Extensible%20Firmware%20Interface",
"http://www.uefi.org/about",
"http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research",
"http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about",
"https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/",
"https://github.com/chipsec/chipsec",
"http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"
]
},
"uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
"value": "System Firmware - T1019"
},
{
"description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) The program will be executed under the context of the user and will have the account's associated permissions level.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.\n\nDetection: Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, File monitoring\n\nPermissions Required: User, Administrator",
"meta": {
"external_id": "T1060",
"kill_chain": [
"mitre-attack:enterprise-attack:persistence"
],
"mitre_data_sources": [
"Windows Registry",
"File monitoring"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1060",
"http://msdn.microsoft.com/en-us/library/aa376977",
"https://technet.microsoft.com/en-us/sysinternals/bb963902"
]
},
"uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"value": "Registry Run Keys / Start Folder - T1060"
},
{
"description": "Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.\n\nDetection: Changes to service Registry entries and command-line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool PsExec.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process command-line parameters, Process monitoring\n\nPermissions Required: Administrator, SYSTEM\n\nRemote Support: Yes",
"meta": {
"external_id": "T1035",
"kill_chain": [
"mitre-attack:enterprise-attack:execution"
],
"mitre_data_sources": [
"Windows Registry",
"Process command-line parameters",
"Process monitoring"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1035"
]
},
"uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"value": "Service Execution - T1035"
},
{
"description": "Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Netflow/Enclave netflow, Process use of network, Process monitoring\n\nRequires Network: Yes",
"meta": {
"external_id": "T1065",
"kill_chain": [
"mitre-attack:enterprise-attack:command-and-control"
],
"mitre_data_sources": [
"Netflow/Enclave netflow",
"Process use of network",
"Process monitoring"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1065",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
]
},
"uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"value": "Uncommonly Used Port - T1065"
},
{
"description": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List)\n\nDetection: Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\n\nPlatforms: Windows\n\nData Sources: Process Monitoring, Process command-line parameters\n\nDefense Bypassed: Application whitelisting, Anti-virus\n\nPermissions Required: User\n\nRemote Support: No\n\nContributors: Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank",
"meta": {
"external_id": "T1191",
"kill_chain": [
"mitre-attack:enterprise-attack:defense-evasion",
"mitre-attack:enterprise-attack:execution"
],
"mitre_data_sources": [
"Process Monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Windows"
],
"refs": [