diff --git a/spindle b/spindle index 3b380b39..50152805 160000 --- a/spindle +++ b/spindle @@ -1 +1 @@ -Subproject commit 3b380b39022adc27bd72b659ff27a89b59fae4d6 +Subproject commit 50152805c00493532f07efa05df747ccbb01d251 diff --git a/tests/test_db.py b/tests/test_db.py index 4249d8b5..ac0040a5 100644 --- a/tests/test_db.py +++ b/tests/test_db.py @@ -97,6 +97,7 @@ async def test_build(self): "report_sentence_hits_initial", "original_html_initial", "categories", + "categories_auto_add", "report_categories", "keywords", "report_keywords", diff --git a/tests/test_reports.py b/tests/test_reports.py index f2ae481c..45212612 100644 --- a/tests/test_reports.py +++ b/tests/test_reports.py @@ -497,6 +497,18 @@ async def test_adding_report_categories(self): current = await self.data_svc.get_report_category_keynames(report_id) self.assertEqual(set(current), {"aerospace", "music"}, msg="Categories were not added.") + async def test_adding_report_categories_auto_add(self): + """Function to test successfully adding categories to a report which auto-adds another category.""" + report_id, report_title = str(uuid4()), "Auto-Add Categories to Me!" + await self.submit_test_report(dict(uid=report_id, title=report_title, url="auto.add.categories")) + + data = dict(index="set_report_keywords", report_title=report_title, victims=dict(category=["rockets"])) + resp = await self.client.post("/rest", json=data) + self.assertTrue(resp.status < 300, msg="Adding categories resulted in a non-200 response.") + + current = await self.data_svc.get_report_category_keynames(report_id) + self.assertEqual({"rockets", "aerospace"}, set(current), msg="Categories were not auto-added.") + async def test_removing_report_categories(self): """Function to test successfully removing categories from a report.""" report_id, report_title = str(uuid4()), "Remove Categories From Me!" diff --git a/tests/thread_app_test.py b/tests/thread_app_test.py index ea679c79..8e3f1cbb 100644 --- a/tests/thread_app_test.py +++ b/tests/thread_app_test.py @@ -133,6 +133,7 @@ async def setUpAsync(self): cat_1 = dict(uid="c010101", keyname="aerospace", name="Aerospace") cat_2 = dict(uid="c123456", keyname="music", name="Music") cat_3 = dict(uid="c898989", keyname="film", name="Film") + cat_4 = dict(uid="c000001", keyname="rockets", name="Rockets") group_1 = dict(uid="apt1", name="APT1") group_2 = dict(uid="apt2", name="APT2") group_3 = dict(uid="apt3", name="APT3") @@ -144,6 +145,18 @@ async def setUpAsync(self): await self.db.insert("keywords", group) self.web_svc.categories_dict[cat["keyname"]] = dict(name=cat["name"], sub_categories=[]) + self.web_svc.categories_dict["rockets"] = dict(name="Rockets", sub_categories=[], auto_select=["aerospace"]) + with suppress(sqlite3.IntegrityError): + await self.db.insert("categories", cat_4) + await self.db.insert( + "categories_auto_add", + dict( + uid="aa000001", + selected="rockets", + auto_add="aerospace", + ), + ) + # Carry out pre-launch tasks except for prepare_queue(): replace the call of this to return (and do) nothing # We don't want multiple prepare_queue() calls so the queue does not accumulate between tests with patch.object(RestService, "prepare_queue", return_value=None): diff --git a/threadcomponents/conf/categories/industry.json b/threadcomponents/conf/categories/industry.json index 341d0c63..a25d8d85 100644 --- a/threadcomponents/conf/categories/industry.json +++ b/threadcomponents/conf/categories/industry.json @@ -409,13 +409,51 @@ "name": "Federal Government", "sub_categories": [] }, + "diplomatic_services": { + "name": "Diplomatic Services", + "sub_categories": [] + }, "government": { "name": "Government", "sub_categories": ["defence", "law_enforcement", "emergency_services", "courts", "local_gov", "state_gov", - "federal_gov"] + "federal_gov", "diplomatic_services"] }, "general_public": { "name": "General Public", "sub_categories": [] + }, + "critical_infrastructure": { + "name": "Critical Infrastructure", + "sub_categories": [], + "auto_select": ["government", "financial", "agriculture", "food", "energy", "info_tech", "aerospace", "education", + "transport", "telecom", "water", "health"] + }, + "political_orgs": { + "name": "Political Organisations", + "sub_categories": [] + }, + "retail": { + "name": "General Retail", + "sub_categories": [] + }, + "travel": { + "name": "International and Domestic Travel", + "sub_categories": [] + }, + "maritime_freight": { + "name": "Maritime Freight", + "sub_categories": [] + }, + "dissidents": { + "name": "Dissidents", + "sub_categories": [] + }, + "terrorist_groups": { + "name": "Terrorist Groups", + "sub_categories": [] + }, + "ngo": { + "name": "Non-Governmental Organisations", + "sub_categories": [] } } diff --git a/threadcomponents/conf/schema.sql b/threadcomponents/conf/schema.sql index a039d2ff..6c70c6df 100644 --- a/threadcomponents/conf/schema.sql +++ b/threadcomponents/conf/schema.sql @@ -61,6 +61,18 @@ CREATE TABLE IF NOT EXISTS categories ( display_name VARCHAR(200) ); +CREATE TABLE IF NOT EXISTS categories_auto_add ( + -- For categories, the category to automatically add when adding a given category + uid VARCHAR(60) PRIMARY KEY, + -- The keyname of the category being selected + selected VARCHAR(40), + -- The keyname of the category to auto-add + auto_add VARCHAR(40), + UNIQUE (selected, auto_add), + FOREIGN KEY(selected) REFERENCES categories(keyname) ON DELETE CASCADE, + FOREIGN KEY(auto_add) REFERENCES categories(keyname) ON DELETE CASCADE +); + CREATE TABLE IF NOT EXISTS report_categories ( uid VARCHAR(60) PRIMARY KEY, -- The UID of the report diff --git a/threadcomponents/managers/report_manager.py b/threadcomponents/managers/report_manager.py index 7d9ef905..1709b94a 100644 --- a/threadcomponents/managers/report_manager.py +++ b/threadcomponents/managers/report_manager.py @@ -158,6 +158,10 @@ async def set_report_categories(self, request, criteria=None): # Retrieve current report categories current = await self.data_svc.get_report_category_keynames(report_id) valid_categories = set(self.web_svc.categories_dict.keys()).intersection(categories) + + auto_add = await self.data_svc.get_auto_selected_for_category(valid_categories) + valid_categories.update(auto_add) + to_add = valid_categories - set(current) to_delete = set(current) - valid_categories @@ -210,6 +214,12 @@ async def set_report_keywords(self, request, criteria=None): categories = await self.data_svc.get_report_category_keynames(report_id) current["victims"]["categories"] = categories or [] + requested_categories = victims.get("category", []) + auto_add = await self.data_svc.get_auto_selected_for_category(requested_categories) + if auto_add: + success.update(refresh_page=True) + requested_categories += auto_add + # For each aggressor and victim, have the current-data and request-data ready to compare aggressor_assoc = [AssociationWith.CN.value, AssociationWith.RG.value, AssociationWith.GR.value] victim_assoc = [ diff --git a/threadcomponents/models/attack_dict.json b/threadcomponents/models/attack_dict.json index 8926130c..1e01d10a 100644 --- a/threadcomponents/models/attack_dict.json +++ b/threadcomponents/models/attack_dict.json @@ -160,7 +160,12 @@ "has used WMI to enable lateral movement.", "`wmiexec` module can be used to execute commands through WMI.", "can use wmic.exe to delete volume shadow copies.", - "used WMI to delete Volume Shadow Copies on victim machines." + "used WMI to delete Volume Shadow Copies on victim machines.", + "has utilized Windows Management Instrumentation to query system information.", + "has used WMI to execute scripts used for discovery and for determining the C2 IP address. has used the following WMI query to search for a ping record: `Select * From Win32_PingStatus where Address = 'mil.gov.ua'`.", + "has used WMI queries to gather information from the system.", + "During threat actors used WMI for execution.", + "has used `wmic` to gather information from the victim device." ], "id": "T1047", "name": "Windows Management Instrumentation", @@ -340,7 +345,10 @@ "has used malware such as GHAMBAR and POWERPOST to take screenshots.", "allows for the remote administrator to take screenshots of the running system.", "has the ability to capture screenshots of new browser tabs based on the presence of the `Capture` flag.", - "has captured browser screenshots using ." + "has captured browser screenshots using .", + "has conducted screen capturing.", + "can capture screenshots on a compromised host.", + "can take JPEG screenshots of an infected system. has also used a plugin to take a screenshot of the infected system." ], "id": "T1113", "name": "Screen Capture", @@ -372,7 +380,9 @@ "Depending on the Linux distribution and when executing with root permissions may install persistence using a `.conf` file in the `/etc/init/` folder.", "has installed an init.d startup script to maintain persistence.", "used a hidden shell script in `/etc/rc.d/init.d` to leverage the `ADORE.XSEC`backdoor and `Adore-NG` rootkit.", - "used malicious boot scripts to install the backdoor on victim devices." + "used malicious boot scripts to install the backdoor on victim devices.", + "can persist as an init.d startup service on Linux vCenter systems.", + "has attempted to bypass digital signature verification checks at startup by adding a command to the startup config `/etc/init.d/localnet` within the rootfs.gz archive of both FortiManager and FortiAnalyzer devices." ], "id": "T1037", "name": "Boot or Logon Initialization Scripts", @@ -599,7 +609,15 @@ "can collect the user name from a compromised system which is used to create a unique victim identifier.", "can identify the username from a victim machine.", "can identify the compromised system's username which is then used as part of a unique identifier.", - "has used `whoami.exe` to determine if the active user on a compromised system is an administrator." + "has used `whoami.exe` to determine if the active user on a compromised system is an administrator.", + "has obtained the username from an infected host.", + "During threat actors executed `whoami` on victim machines to enumerate user context and validate privilege levels.", + "can trigger exection of `whoami` on the target host to display the current user.", + "has obtained the username from the victims machine.", + "has identified the users UUID and username through the pay module.", + "has collected the username from the victim host.", + "has utilized to execute `quser` to discover the user session information.", + "has the ability to gather the username from the victims machine." ], "id": "T1033", "name": "System Owner/User Discovery", @@ -717,7 +735,9 @@ "has used publicly available tools to dump password hashes including .", "gathers credential material from target systems such as SSH keys to facilitate access to victim environments.", "includes modules for dumping and capturing credentials from process memory.", - "used tools such as and to dump credentials from victim systems." + "used tools such as and to dump credentials from victim systems.", + "utilized Hdump to dump credentials from memory.", + "has used the SecretsDump module within can perform credential dumping to obtain account and password information." ], "id": "T1003", "name": "OS Credential Dumping", @@ -749,7 +769,8 @@ "has used call to LoadLibrary to load its installer. loads its modules using reflective loading or custom shellcode.", "is executed through hooking the keyutils.so file used by legitimate versions of `OpenSSH` and `libcurl`.", "relied on the Java Instrumentation API and Javassist to dynamically modify Java code existing in memory.", - "main executable and module `.dylib` binaries are loaded using a combination of `dlopen()` to load the library `_objc_getClass()` to retrieve the class definition and `_objec_msgSend()` to invoke/execute the specified method in the loaded class." + "main executable and module `.dylib` binaries are loaded using a combination of `dlopen()` to load the library `_objc_getClass()` to retrieve the class definition and `_objec_msgSend()` to invoke/execute the specified method in the loaded class.", + "has leveraged `LoadLibrary` to load DLLs." ], "id": "T1129", "name": "Shared Modules", @@ -797,7 +818,7 @@ ] }, "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b": { - "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)", + "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.", "example_uses": [ "starts a rootkit from a malicious file dropped to disk.", "hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.", @@ -828,7 +849,11 @@ "has a module to use a rootkit on a system.", "acts as a user land rootkit using the SSH service.", "can hook both the crash dump process and the Autehntication Authorization and Accounting (AAA) functions on compromised machines to evade forensic analysis and authentication mechanisms.", - "included hooking the `processHostScanReply()` function on victim Cisco ASA devices." + "included hooking the `processHostScanReply()` function on victim Cisco ASA devices.", + "is a rootkit with command execution and credential logging capabilities.", + "has the ability to hook kernel functions and modify functions data to achieve rootkit functionality such as hiding processes and network connections.", + "has used the publicly available rootkits and on targeted VMs.", + "During used rootkits such as and ." ], "id": "T1014", "name": "Rootkit", @@ -878,7 +903,7 @@ ] }, "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d": { - "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.Access may also be gained through an exposed service that doesnt require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)", + "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.Access may also be gained through an exposed service that doesnt require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)Adversaries may also establish persistence on network by configuring a Tor hidden service on a compromised system. Adversaries may utilize the tool `ShadowLink` to facilitate the installation and configuration of the Tor hidden service. Tor hidden service is then accessible via the Tor network because `ShadowLink` sets up a .onion address on the compromised system. `ShadowLink` may be used to forward any inbound connections to RDP, allowing the adversaries to have remote access.(Citation: The BadPilot campaign) Adversaries may get `ShadowLink` to persist on a system by masquerading it as an MS Defender application.(Citation: Russian threat actors dig in, prepare to seize on war fatigue)", "example_uses": [ "used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.", "regained access after eviction via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host.", @@ -999,7 +1024,8 @@ "gathered the local privileges for the infected host.", "checks for Kubernetes node permissions.", "has enumerated all users and roles from a victim's main treasury system.", - "has used commercial tools LOTL utilities and appliances already present on the system for group and user discovery." + "has used commercial tools LOTL utilities and appliances already present on the system for group and user discovery.", + "has enumerated the vSphere Admins and ESX Admins groups in targeted environments." ], "id": "T1069", "name": "Permission Groups Discovery", @@ -1447,7 +1473,8 @@ "has used MSGraph to exfiltrate data from email OneDrive and SharePoint.", "included collection of packet capture and system configuration information.", "has automated collection of various information including cryptocurrency wallet details.", - "attempts to identify and collect mail login data from Thunderbird and Outlook following execution." + "attempts to identify and collect mail login data from Thunderbird and Outlook following execution.", + "During threat actors used a command shell to automatically iterate through web.config files to expose and collect machineKey settings." ], "id": "T1119", "name": "Automated Collection", @@ -1498,7 +1525,10 @@ "can monitor Clipboard text and can use `System.Windows.Forms.Clipboard.GetText()` to collect data from the clipboard.", "can capture content from the clipboard.", "can collect data stored in the victim's clipboard.", - "has used infostealer tools to copy clipboard data." + "has used infostealer tools to copy clipboard data.", + "has monitored and extracted clipboard contents.", + "has stolen data from the clipboard using the Python project pyperclip. has also captured clipboard contents during copy and paste operations.", + "has used its KBLogger.dll module to steal data saved to the clipboard." ], "id": "T1115", "name": "Clipboard Data", @@ -1519,7 +1549,7 @@ ] }, "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa": { - "description": "Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "description": "Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", "example_uses": [ "collects a list of running services with the command tasklist /svc.", "enumerates all running services.", @@ -1585,7 +1615,11 @@ "can check the services on the system.", "can search for modifiable services that could be used for privilege escalation.", "has used `net start` to list running services.", - "can check whether the service name `FAX` is present." + "can check whether the service name `FAX` is present.", + "has leveraged an encoded list of services that it designates for termination.", + "can identify specific services for termination or to be left running at execution.", + "has obtained active services running on the victims system through the functions `OpenSCManagerW()` and `EnumServicesStatusExW()`.", + "has leveraged `tasklist` to gather running services on victim host." ], "id": "T1007", "name": "System Service Discovery", @@ -1621,7 +1655,10 @@ "included network packet capture and sniffing for data collection in victim environments.", "can use the libpcap library to monitor captured packets for specifc sequences.", "can create and exfiltrate packet captures from compromised environments.", - "has a pcap listener function that can create an Extended Berkley Packet Filter (eBPF) on designated interfaces and ports." + "has a pcap listener function that can create an Extended Berkley Packet Filter (eBPF) on designated interfaces and ports.", + "During used a passive backdoor to act as a libpcap-based packet sniffer.", + "has the ability to create a raw promiscuous socket to sniff network traffic.", + "has used the LOOKOVER sniffer to sniff TACACS+ authentication packets." ], "id": "T1040", "name": "Network Sniffing", @@ -1714,7 +1751,11 @@ "can identify network shares on compromised systems.", "scanned and enumerated remote network shares in victim environments during .", "enumerated network shares on victim devices.", - "has the ability to target specific network shares for encryption." + "has the ability to target specific network shares for encryption.", + "has identified networked drives.", + "has identified network shares using `cmd.exe /c net share`.", + "has the ability to list network drives.", + "has searched for folders subfolders and other networked or mounted drives for follow-on encryption actions." ], "id": "T1135", "name": "Network Share Discovery", @@ -1784,7 +1825,8 @@ "has obtained victim's screen dimension and display device information.", "includes functionality to identify MMC and SD cards connected to the victim device.", "has the ability to identify mounted external storage devices.", - "has the ability to discover external storage devices." + "has the ability to discover external storage devices.", + "has checked periodically for removable drives and installs itself when a drive is detected." ], "id": "T1120", "name": "Peripheral Device Discovery", @@ -1793,7 +1835,7 @@ ] }, "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1": { - "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as `system hostname get`, `system version get`, and `storage filesystem list` (to list storage volumes).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)[System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques) ", + "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from [Local Storage Discovery](https://attack.mitre.org/techniques/T1680) which is an adversary's discovery of local drive, disks and/or volumes.Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. Adversaries may leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as `system hostname get` and `system version get`.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)[System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques) ", "example_uses": [ "gathers computer name and information using the systeminfo command.", "collects the computer name and host name on the compromised system.", @@ -2279,7 +2321,84 @@ "included collection of victim device configuration information.", "can gather system configuration information by running the native `show configuration` command.", "can retrieve information about virtual machines.", - "has gathered various system information from victim machines." + "has gathered various system information from victim machines.", + "will gather various system information such as domain display adapter description operating system type and version processor type and RAM amount.", + "has identified the OS and MAC address of victim device through host fingerprinting scripting.", + "has collected OS type hostname and system version through the pay module. has also queried the victim device using Python scripts to obtain the User and Hostname.", + "has collected the Windows build number using the windows kernel API `RtlGetVersion` to determine if the response is 19000 or higher (Windows 10 version 2004 or later).", + "can gather extended system information such as information about the operating system and memory.", + "can collect system boot configuration and CPU information.", + "has collected from a victim machine the system name processor information and OS version.", + "has the ability to collect the computer name and CPU manufacturer name from a compromised machine. also has the ability to execute the `ver` and `systeminfo` commands.", + "can collect information about a compromised computer including: Hardware UUID Mac serial number and macOS version.", + "can gather the OS version architecture information hostname and RAM size information from the victims machine and has used cmd /c systeminfo command to get a snapshot of the current system state of the target machine.", + "has the ability to collect the hostname OS Username Geolocation and OS version of an infected host.", + "can use `GetNativeSystemInfo` to enumerate system processors.", + "can obtain current system information from a compromised machine such as the `SHELL PID` `PSVERSION` `HOSTNAME` `LOGONSERVER` `LASTBOOTUP` OS type/version bitness and hostname.", + "has the ability to retrieve the name of the infected machine.", + "can retrieve the following information from an infected machine: OS architecture computer name OS build version and environment variables.", + "gathers system information.", + "can obtain the computer name and UUID.", + "collects the victims computer name processor architecture OS version and system type.", + "has been known to collect basic system information. has also collected data to include hostname and current timestamp prior to uploading data to the API endpoint `/uploads` on the C2 server.", + "can gather system information including hostname domain and OS details.", + "Several malware families collect information on the type and version of the victim OS as well as the victim computer name and CPU information.", + "has the ability to obtain the computer name of a compromised host.", + "collects hostname and OS version data from the victim and sends the information to its C2 server.", + "gathers system information network addresses and the operation system version.", + "has the capability to collect the computer name language settings the OS version CPU information and time elapsed since system start.", + "can identify the username machine name system language keyboard layout and OS version on a compromised host.", + "can detect the computer name and operating system.", + "can collect operating system (OS) version information processor information and system name from the victim.", + "has the ability to identify the hostname computer name Windows version processor speed and machine GUID on a compromised host.", + "collects the OS version and computer name. also runs the systeminfo command to gather system information.", + "collected the system GUID and computer name.", + "can enumerate system information including hostname and domain information.", + "collects the OS version hardware information computer name available system memory status and system and user language settings.", + "can obtain the computer name and information on the OS from targeted hosts.", + "can gather the device serial number.", + "can obtain the victim hostname Windows version RAM amount and screen resolution.", + "can collect the computer name OS version and OS architecture information.", + "can collect the hostname operating system configuration and product ID on victim machines by executing .", + "has been observed collecting victim machine information like OS version.", + "can collect system information after installation on infected systems.", + "has collected system information including OS version processor information RAM size location host name IP and screen size of the infected host.", + "can determine the OS version and bitness on a targeted host.", + "can collect a system's architecture operating system version and hostname.", + "gathers information on the system.", + "has used csvde.exe which is a built-in Windows command line tool to export system information. Additionally WsTaskLoad has gathered system information such as operating system and hostname.", + "can gather information on the OS version computer name DEP policy and memory size.", + "can collect the computer name of a compromised host.", + "During threat actors fingerprinted targeted SharePoint servers to identify OS version and running processes.", + "can enumerate system hostname and domain.", + "collects the OS version country name MAC address computer name and physical memory statistics.", + "has enumerated OS type OS version and other information using a script or the systeminfo command. has also obtained system information such as OS type OS version and system type through querying various Windows Management Instrumentation (WMI) classes including `Win32_OperatingSystem`.", + "can create unique victim identifiers by using the compromised systems computer name.", + "has searched for system version architecture and hostname information.", + "has executed scripts to identify the underlying operating system to ensure it uses the correct installation package for malicious payloads.", + "gathers the computer name CPU information Microsoft Windows version and runs the command systeminfo.", + "can collect information about the local system.", + "gathers the OS version and processor information.", + "has leveraged native Windows tools and commands such as `systeminfo` and open-source tools including OSQuery and ossec-win32 to query details about the endpoint.", + "During threat actors discovered the OS versions of systems connected to a targeted network.", + "has configured malicious webpages to identify the victims operating system by reviewing the details of the victims User-Agent of their browser.", + "creates a backdoor through which remote attackers can retrieve information like hostname.", + "has collected data from the SMBIOS firmware table using `GetSystemFirmwareTable`.", + "has detected a target systems OS version.", + "has discovered system information including memory status CPU frequency and OS versions.", + "can retrieve the hostname via `gethostbyname`.", + "gathers information on the victim system such as CPU and Computer name as well as device drivers.", + "can report the file system type of a compromised host to C2.", + "collected the victim computer name OS version and architecture type and sent the information to its C2 server.", + "collects system information from the victim including CPU speed computer name ANSI code page OEM code page identifier for the OS Microsoft Windows version and memory information.", + "can gather information on the operating system on the victims machine.", + "has leveraged `cmd.exe` to identify system info `cmd.exe /c systeminfo`.", + "has collected system name OS version adapter information and memory usage from a victim machine.", + "has the ability to enumerate the OS architecture.", + "can gather system information from the victims machine such as the OS version and machine name.", + "can collect information related to a compromised host including OS version.", + "has the ability to identify the OS architecture on a compromised host.", + "has collected and sent system information including volume serial number computer name and system uptime to designated C2. has also used several commands executed in sequence via `cmd` in a short interval to gather system information about the infected host including `systeminfo`. has decrypted shellcode that collects the computer name." ], "id": "T1082", "name": "System Information Discovery", @@ -2728,7 +2847,21 @@ "uses the `SetThreadExecutionState` API to prevent the victim system from entering sleep.", "utilizes WinAPI calls to gather victim system information.", "has the ability to use Native APIs.", - "has used the `ShowWindow` and `CreateProcessW` APIs." + "has used the `ShowWindow` and `CreateProcessW` APIs.", + "has leveraged Windows Native API functions to execute payloads.", + "has utilized hashed Native Windows API calls.", + "has used various Windows API calls during execution when establishing persistence and defense evasion. has also leveraged the legitimate API functions to run its shellcode through the callback function including `GetDC()` and `EnumFontsW()`. established persistence by utilizing the API `SHSetValue()`. has utilized APIs with callback functions such as `EnumpropsExW` `EnumSystemLanguageGroupsA` and `EnumCalendarInfoExW`.", + "has leveraged Windows Native API functions to execute its operations.", + "can attempt to log on to the local computer via `LogonUserW` and use `GetLogicalDrives()` and `EnumResourceW()` for discovery.", + "has used native windows API calls such as `GetLocalTime()` to retrieve system data.", + "has used Windows API `SetWindowsHookExW` with `idHook` set to `WH_KEYBOARD_LL` and a custom hook procedure to support its keylogging functions.", + "has used various Windows API calls during execution and defense evasion. has created a buffer on the heap using `HeapCreate` and `HeapAlloc` which allows for copying of shell code and then execution on the heap is initiated through callback function of legitimate API functions such as `EnumChildWindows` or `EnumSystemLanguageGroupsA`.", + "has used various Windows API calls during execution when establishing persistence and defense evasion. stager leveraged Windows API functions with callback including `GrayStringW` `EnumDateFormatsA` and `LineDDA` to bypass anti-virus monitoring. has also utilized other native windows API functions with callback functions such as `EnumChildWindows` and `EnumSystemLanguageGroupsA`.", + "has used various Windows API calls during execution and defense evasion.", + "has utilized Native Windows API calls dynamically through `ZwQuerySystemInformation`.", + "has utilized Native Windows API functions such as `WriteProcessMemory` and `CreateRemoteThreadEx`. has also utilized Windows API functions for creating seed values including `CoCreateGuid` and `GetTickCount`. has leveraged the legitimate API function `EnumSystemLocalesA` to run its shellcode through the callback function.", + "can use `NtAllocateVirtualMemory` and `NtCreateThreadEx` to aid process injection.", + "has leveraged Native API calls to execute code within the victims system including `GetCurrentDirectoryW` `RegisterClassW` and `CreateWindowExW`. also created a new overlapped window that initiates callback functions to a windows procedure that processes Windows messages until a designated message type of 0x0018 WM_SHOWWINDOW is observed which then initiates the deployment of a subsequent malicious payload." ], "id": "T1106", "name": "Native API", @@ -2833,7 +2966,11 @@ "variants used the Windows AUTORUN feature to spread through USB propagation.", "has copied itself to and infected removable drives for propagation.", "has attempted to transfer from an infected USB device by copying an Autorun function to the target machine.", - "has historically used infected USB media to spread to new victims." + "has historically used infected USB media to spread to new victims.", + "has periodically checked for removable and hot-plugged drives connected to the infected machine should one be found will propagate to the removeable drives by copying itself and accompanying malware components to a directory to the new drive in a hidden subdirectory `:\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\` and hides any other existing files to ensure UsbConfig.exe is the only visible file on the device.", + "has replicated to removable media by leveraging the User Assist Reg Key and creating LNKs on all network and removable drives available on the infected host.", + "has copied itself to infected removable drives for propagation to other victim devices.", + "actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors including in some cases for ransomware operations. Additionally has used malicious USBs that acted as virtual keyboards to install malware and txt files that decode to PowerShell commands." ], "id": "T1091", "name": "Replication Through Removable Media", @@ -2842,7 +2979,7 @@ ] }, "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5": { - "description": "Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration.Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.", + "description": "Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.", "example_uses": [ "can download files off the target system to send back to the server.", "collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.", @@ -3041,7 +3178,13 @@ "During threat actors stole saved cookies and login data from targeted systems.", "has used PowerShell to upload files from compromised systems.", "has stolen `sitemanager.xml` and `recentservers.xml` from `%APPDATA%\\FileZilla\\` if present.", - "can upload data and files to the LockBit victim-shaming site." + "can upload data and files to the LockBit victim-shaming site.", + "has exfiltrated data collected from local systems.", + "has collected data stored locally including chat logs and files associated with chat services such as Steam Discord and Telegram.", + "can download files from the victim's computer.", + "has collected data utilizing a script that contained a list of excluded files and directory names and naming patterns of interest such as environment and configuration files documents spreadsheets and other files that contained the words secret wallet private and password.", + "can execute a C2 command to transfer files from victim machines.", + "During threat actors extracted information from the compromised systems." ], "id": "T1005", "name": "Data from Local System", @@ -3362,7 +3505,28 @@ "can Base64-decode and XOR decrypt received C2 commands.", "can Base64-decode and XOR-decrypt C2 commands taken from JSON files.", "involved the use of Base64 obfuscated scripts and commands.", - "has used Base64-encoded data to transfer payloads and commands including deobfuscation via ." + "has used Base64-encoded data to transfer payloads and commands including deobfuscation via .", + "has decoded malicious VBScripts using Base64. has also decoded malicious PowerShell scripts using Base64.", + "has the ability to decrypt its payload prior to execution. has also utilized RC4 encryption for malicious payloads.", + "can filter and deobfuscate an XOR encrypted activation string in the payload of an ICMP echo request.", + "has decoded XOR-encrypted and Base-64-encoded payloads prior to execution.", + "During threat actors decrypted scripts prior to execution.", + "has decoded XOR encrypted strings.", + "has decoded its payload prior to execution.", + "can deobfuscate encrypted files prior to execution on targeted hosts.", + "can decrypt obfuscated configuration files.", + "has decoded XOR encrypted strings prior to execution in memory.", + "has decoded its Base64 encoded payload prior to execution. has also encrypted files with RC4 and has decrypted its payload prior to execution.", + "has utilized MDeployer to decrypt two payloads that contain MS4Killer toolkit b.cache and the ransomware executable a.cache with a hardcoded RC4 key `wlQYLoPCil3niI7x8CvR9EtNtL/aeaHrZ23LP3fAsJogVTIzdnZ5Pi09ZVeHFkiB`.", + "tools decrypted additional payloads from the C2. has also decoded Base64-encoded source code of a downloader. Additionally has decoded Telegram content to reveal the IP address for C2 communications.", + "The launcher component can decrypt kernel module code from a file and load it into memory.", + "has decoded a malicious PowerShell script using `certutil -decode hex` and has decoded an XOR-obfuscated block of data with the key `qawsed1q2w3e` which led to the installation of .", + "has decrypted its configuration data such as the C2 IP address ports and other network communication.", + "can deobfuscate RSA encrypted C2 commands received through the DEVICEID cookie.", + "has decoded XOR encrypted payload.", + "During used malware implants to deobfuscate incoming C2 messages and encoded archives.", + "decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer. has also decrypted its payloads in memory.", + "has decrypted network packets using a custom algorithm." ], "id": "T1140", "name": "Deobfuscate/Decode Files or Information", @@ -3371,7 +3535,7 @@ ] }, "attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7": { - "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.Supply chain compromise can take place at any stage of the supply chain including:* Manipulation of development tools* Manipulation of a development environment* Manipulation of source code repositories (public or private)* Manipulation of source code in open-source dependencies* Manipulation of software update/distribution mechanisms* Compromised/infected system images (multiple cases of removable media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric USB Malware) * Replacement of legitimate software with modified versions* Sales of modified/counterfeit products to legitimate distributors* Shipment interdictionWhile supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)", + "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.Supply chain compromise can take place at any stage of the supply chain including:* Manipulation of development tools* Manipulation of a development environment* Manipulation of source code repositories (public or private)* Manipulation of source code in open-source dependencies* Manipulation of software update/distribution mechanisms* Compromised/infected system images (removable media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric USB Malware) * Replacement of legitimate software with modified versions* Sales of modified/counterfeit products to legitimate distributors* Shipment interdictionWhile supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Adversaries may limit targeting to a desired victim set or distribute malicious software to a broad set of consumers but only follow up with specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open-source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)In some cases, adversaries may conduct second-order supply chain compromises by leveraging the access gained from an initial supply chain compromise to further compromise a software component.(Citation: Krebs 3cx overview 2023) This may allow the threat actor to spread to even more victims. ", "example_uses": [ "was added to a legitimate, signed version 5.33 of the CCleaner software and distributed on CCleaner's distribution site.", "has targeted manufacturers in the supply chain for the defense industry.", @@ -3456,7 +3620,13 @@ "has used exploits against publicly-disclosed vulnerabilities for initial access into victim networks.", "was likely enabled by the adversary exploiting an unknown vulnerability in an external-facing router.", "has exploited multiple vulnerabilities to compromise edge devices and on-premises versions of Microsoft Exchange Server.", - "has exploited CVE-2018-0171 in the Smart Install feature of Cisco IOS and Cisco IOS XE software for initial access." + "has exploited CVE-2018-0171 in the Smart Install feature of Cisco IOS and Cisco IOS XE software for initial access.", + "has leveraged public facing vulnerabilities in their campaigns against victim organizations to gain initial access. has also utilized CVE-2024-1709 in ScreenConnect and CVE-2023-48788 in Fortinet EMS for initial access to victim environments.", + "has enabled the exploitation of vulnerabilities for remote code execution capabilities in SOHO routers including CVE-2023-50224 and CVE-2025-9377 in TP-Link devices.", + "has exploited N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966) Citrix NetScaler Citrix Bleed (CVE-2023-4966) and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203).", + "During threat actors exploited authentication bypass and remote code execution vulnerabilities (CVE-2025-49706 and CVE-2025-49704) against on-premises SharePoint servers. This activity was characterized by crafted `POST` requests to the ToolPane endpoint `/_layouts/15/ToolPane.aspx`.", + "has been delivered through exploitation of exposed applications and interfaces including Citrix and RDP.", + "has exploited CVE-2022-42475 in FortiOS SSL VPNs to obtain access." ], "id": "T1190", "name": "Exploit Public-Facing Application", @@ -3496,7 +3666,9 @@ "has used AnyDesk and PuTTY on compromised systems.", "has used legitimate applications ScreenConnect AteraAgent and SimpleHelp to manage systems remotely and move laterally.", "has incorporated remote monitoring and management (RMM) tools into their operations including .", - "has used tools such as AnyDesk in victim environments." + "has used tools such as AnyDesk in victim environments.", + "has leveraged Remote Access Software for lateral movement and data exfiltration. has also been known to utilize Remote Access Software such as AnyDesk Atera ConnectWise eHorus N-Able PDQ Deploy PDQ Inventory SimpleHelp and Splashtop.", + "has utilized remote access software including AnyDesk client through the adc module. has also downloaded the AnyDesk client should it not already exist on the compromised host by searching for `C:/Program Files(x86)/AnyDesk/AnyDesk.exe`." ], "id": "T1219", "name": "Remote Access Tools", @@ -3623,7 +3795,11 @@ "PE executable payloads have used uncommon but legitimate extensions such as `.com` instead of `.exe`.", "has used fake icons including antivirus and external drives to disguise malicious payloads.", "has masqueraded filenames using examples such as `update.py`.", - "has prompted users to download and execute batch scripts that masquerade as legitimate update files during initial access and social engineering operations." + "has prompted users to download and execute batch scripts that masquerade as legitimate update files during initial access and social engineering operations.", + "has delivered malware masquerading as legitimate software or applications. has also delivered malicious payloads masquerading as legitimate software drivers.", + "During threat actors used voice calls to socially engineer victims into authorizing a modified version of the Salesforce Data Loader app.", + "malware has masqueraded as legitimate software such as PDF Converter Software which has been distributed through poisoned search engine results often resembling legitimate software lures with the combination of typo squatted domains.", + "has masqueraded as MiroTalk installation packages: MiroTalk.dmg for macOS and MiroTalk.msi for Windows and has included login GUIs with MiroTalk themes." ], "id": "T1036", "name": "Masquerading", @@ -3741,7 +3917,10 @@ "initial execution included launching multiple `svchost` processes and injecting code into them.", "has injected into `wuauclt.exe` during intrusions. has injected ransomware into `svchost.exe` before encryption.", "included injecting code into the AAA and Crash Dump processes on infected Cisco ASA devices.", - "injects into a newly-created `svchost.exe` process prior to device encryption." + "injects into a newly-created `svchost.exe` process prior to device encryption.", + "During exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.", + "During the 's VEILEDSIGNAL uses process injection to inject the C2 communication module code in the first found process instance of Chrome Firefox or Edge web browsers. It also monitors the established named pipe and re-injects the C2 communication module if necessary.", + "has injected into explorer.exe." ], "id": "T1055", "name": "Process Injection", @@ -3777,7 +3956,13 @@ "can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific implant. If the value does not match the packet and the rest of the TCP session are passed to the legitimate listening application.", "can monitor TCP traffic for packets containing one of five different predefined parameters and will spawn a reverse shell if one of the parameters and the proper response string to a subsequent challenge is received.", "has redirected clients to legitimate Gmail Naver or Kakao pages if the clients connect with no parameters.", - "has used to redirect clients to legitimate Gmail Naver or Kakao pages if the clients connect with no parameters." + "has used to redirect clients to legitimate Gmail Naver or Kakao pages if the clients connect with no parameters.", + "The reverse shell component can listen for a specialized packet in TCP UDP or ICMP for activation.", + "has utilized a magic packet value in C2 communications and only executes in memory when response packets match specific values of 17 03 03. has also used magic bytes consisting of 46 77 4d.", + "has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices.", + "has utilized a magic packet value in C2 communications and only executes in memory when response packets match specific values.", + "During leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities.", + "has utilized a magic packet value in C2 communications and only executes in memory when response packets match specific values of 17 03 03 or 46 77 4d." ], "id": "T1205", "name": "Traffic Signaling", @@ -3918,7 +4103,9 @@ "has the ability to list open windows on the compromised host.", "has the ability to discover application windows via execution of `EnumWindows`.", "can enumerate running application windows.", - "has collected window title information from compromised systems." + "has collected window title information from compromised systems.", + "has used `GetForegroundWindow` to detect virtualization or sandboxes by calling the API twice and comparing each window handle.", + "has used `GetForegroundWindow` to access the foreground window. has also captured text from the foreground windows." ], "id": "T1010", "name": "Application Window Discovery", @@ -4488,7 +4675,14 @@ "writes persistent configuration information to the victim host registry.", "has used reg.exe to modify system configuration.", "modifies the victim Registry to prevent system recovery.", - "has modified Registry keys to maintain persistence." + "has modified Registry keys to maintain persistence.", + "has modified registry keys to ensure hidden files and extensions are not visible through the modification of `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced`.", + "has modified Registry keys to elevate privileges maintain persistence and allow remote access.", + "has modified Registry key values as part of its created service `DeviceSync`.", + "has removed security settings for VBA macro execution by changing registry values HKCU\\Software\\Microsoft\\Office\\<version>\\<product>\\Security\\VBAWarnings and HKCU\\Software\\Microsoft\\Office\\<version>\\<product>\\Security\\AccessVBOM. has also modified Registry keys to hide folders and system files and to add the C2 address under `HKEY_CURRENT_USER\\Console\\WindowsUpdate`.", + "can make Registry modifications to share networked drives between elevated and non-elevated processes and to increase the number of outstanding network requests per client.", + "has modified and deleted Registry keys to add services and to disable Security Solutions such as Windows Defender.", + "During threat actors including Storm-2603 disabled security services via Registry modifications." ], "id": "T1112", "name": "Modify Registry", @@ -4531,7 +4725,10 @@ "During used a Chrome data dumper named MKG.", "To collect data on the host's Wi-Fi connection history reads the `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` file. It also utilizes Apple's `CWWiFiClient` API to scan for nearby Wi-Fi networks and obtain data on the SSID security type and RSSI (signal strength) values.", "collects information from Chromium-based browsers and Firefox such as cookies history downloads and extensions.", - "has identified and gathered information from two-factor authentication extensions for multiple browsers." + "has identified and gathered information from two-factor authentication extensions for multiple browsers.", + "has searched the victim device for browser extensions including those commonly associated with cryptocurrency wallets.", + "can collect information from browsers and browser extensions.", + "During the leveraged ICONICSTEALER to steal browser information to include browser history located on the infected host." ], "id": "T1217", "name": "Browser Information Discovery", @@ -4625,7 +4822,8 @@ "attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196": { "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directorys existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior) ", "example_uses": [ - "can use the command-line utility cacls.exe to change file permissions." + "can use the command-line utility cacls.exe to change file permissions.", + "can use symbolic links to redirect file paths for both remote and local objects." ], "id": "T1222", "name": "File and Directory Permissions Modification", @@ -5167,7 +5365,21 @@ "enumerates network interfaces on the infected host.", "captures the IP address of the victim system and sends this to the attacker following encryption.", "collects network information on infected systems such as listing interface names MAC and IP addresses and IPv6 addresses.", - "During threat actors invoked DNS queries from targeted machines to identify their IP addresses." + "During threat actors invoked DNS queries from targeted machines to identify their IP addresses.", + "has used ipconfig and arp to determine network configuration information. has also utilized SharpNBTScan to scan the victim environment.", + "has captured victim IP address details of the targeted machine.", + "has obtained information about local networks through the `ipconfig /all` command.", + "has used network reconnaissance commands for discovery including `ping` and `nltest`.", + "During leveraged JunoOS CLI queries to obtain the interface index which contains system and network details.", + "has leveraged webservices to identify the public IP of the victim host.", + "can accept a command line argument identifying specific IPs.", + "can enumeate information about victims systems including IP addresses.", + "has leveraged server-side client configurations to identify the public IP of the victim host.", + "has collected the local IP address and external IP.", + "has used `ipconfig/all` and web beacons sent via email to gather network configuration information. has also identified Host IP addresses leveraging the WMI class `Win32_NetworkAdapterConfiguration`.", + "has retrieved network information from a compromised host such as the MAC address.", + "has obtained host network details utilizing the command `cmd.exe /c ipconfig /all`.", + "has a module for network enumeration including determining IP addresses." ], "id": "T1016", "name": "System Network Configuration Discovery", @@ -5225,7 +5437,10 @@ "attempts to discover accounts from various locations such as a user's Evernote AppleID Telegram Skype and WeChat data.", "During the obtained a list of users and their roles from an Exchange server using `Get-ManagementRoleAssignment`.", "has enumerated all users and their roles from a victim's main treasury system.", - "used the last command in Linux environments to identify recently logged-in users on victim machines." + "used the last command in Linux environments to identify recently logged-in users on victim machines.", + "has identified vSphere administrator accounts.", + "can identify privileged user accounts on infected systems.", + "included functionality to retrieve a list of user accounts." ], "id": "T1087", "name": "Account Discovery", @@ -5318,7 +5533,14 @@ "has the ability to establish a SOCKS5 proxy on a compromised web server.", "implements SOCKS5 proxy functionality.", "can establish an HTTP or SOCKS proxy to tunnel data in and out of a network.", - "can identify system proxy settings via `WinHttpGetIEProxyConfigForCurrentUser()` during initialization and utilize these settings for subsequent command and control operations." + "can identify system proxy settings via `WinHttpGetIEProxyConfigForCurrentUser()` during initialization and utilize these settings for subsequent command and control operations.", + "has the ability to route HTTP/S communications through designated proxies.", + "During threat actors used Mullvad VPN IPs to proxy voice phishing calls.", + "During used malware capable of establishing a SOCKS proxy connection to a specified IP and port.", + "has leveraged Astrill VPN for C2.", + "During threat actors used Fast Reverse Proxy to communicate with C2.", + "has used proxy networks to hamper detection and has installed legitimate proxy tools on VMware vCenter and adversary-controlled VMs.", + "has used the Cloudflare Tunnel client to proxy C2 traffic." ], "id": "T1090", "name": "Proxy", @@ -5478,7 +5700,9 @@ "variants can be delivered via highly obfuscated Windows Script Files (WSF) for initial execution.", "has executed PHP and Shell scripts to identify and infect subsequent routers for the ORB network.", "has provided an arbitrary command execution interface.", - "included the adversary executing command line interface (CLI) commands." + "included the adversary executing command line interface (CLI) commands.", + "has used the command line for execution of commands.", + "has utilized meterpreter shellcode." ], "id": "T1059", "name": "Command and Scripting Interpreter", @@ -5533,7 +5757,8 @@ "included scripted exfiltration of collected data.", "can automatically exfitrate files from compromised systems.", "can upload encyrpted data for exfiltration.", - "automatically sends gathered email credentials following collection to command and control servers via HTTP POST." + "automatically sends gathered email credentials following collection to command and control servers via HTTP POST.", + "During threat actors used API queries to automatically exfiltrate large volumes of data." ], "id": "T1020", "name": "Automated Exfiltration", @@ -5591,7 +5816,8 @@ "clears the file location `/proc//environ` removing all environment variables for the process.", "uses a batch script to clear file system cache memory via the ProcessIdleTasks export in advapi32.dll as an anti-analysis and anti-forensics technique.", "restores the `.text` section of compromised DLLs after malicious code is loaded into memory and before the file is closed.", - "has cleared Chrome browser history." + "has cleared Chrome browser history.", + "has deleted registry keys that store data and maintained persistence." ], "id": "T1070", "name": "Indicator Removal", @@ -5984,7 +6210,21 @@ "can identify specific files and directories within the Linux operating system corresponding with storage devices for follow-on wiping activity similar to .", "has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions and leverages a module to run the command `ls -la ~/Desktop`.", "can ignore specified directories for encryption.", - "can be configured to exfiltrate specific file types." + "can be configured to exfiltrate specific file types.", + "has a module to enumerate drives and find files recursively. has also checked the path from which it is running for specific parameters prior to execution.", + "has conducted key word searches within files and directories on a compromised hosts to identify files for exfiltration.", + "has used `vmtoolsd.exe` to enumerate files on guest machines.", + "has identified specific directories and files for exfiltration using the `ssh_upload` command which contains subcommands of `.sdira` `sdir` `sfile` `sfinda` `sfindr` `sfind`. also has the capability to scan and upload files of interest from multiple OS systems through the use of scripts that check file names file extensions and avoids certain path names. has utilized the `findstr` on Windows or the macOS `find` commands to search for files of interest.", + "has searched for folders subfolders and other networked or mounted drives for follow on encryption actions. has also iterated device volumes using `FindFirstVolumeW()` and `FindNextVolumeW()` functions and then calls the `GetVolumePathNamesForVolumeNameW()` function to retrieve a list of drive letters and mounted folder paths for each specified volume.", + "macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. has also used its backdoors to automatically list interesting files (such as Office documents) found on a system. Gamaredon Group has also identified directory trees folders and files on the compromised host.", + "has searched for files within the victim environment for encryption and exfiltration. has also identified files associated with remote management services.", + "During threat actors leveraged commands to locate accessible file shares backup paths or SharePoint content.", + "The interface can display a file explorer view of the compromised host.", + "During threat actors queried customers' Salesforce environments to identify sensitive information for exfiltration.", + "Spider enumerates a target organization for files and directories of interest including source code user provisioning MFA device registration network diagrams and shared credentials in documents or spreadsheets.", + "can exclude specific directories and files from encryption.", + "has searched for .ldb and .log files stored in browser extension directories for collection and exfiltration.", + "has used Windows API to identify files associated with Windows Defender and Kaspersky." ], "id": "T1083", "name": "File and Directory Discovery", @@ -6186,7 +6426,8 @@ "can use a dashboard and U/I to display the status of connections from the FRP client and server.", "has used RDP to test network connections.", "has used commands such as `netstat` to identify system network connections.", - "has enumerated existing network connections on victim devices." + "has enumerated existing network connections on victim devices.", + "has used several commands executed in sequence via `cmd` in a short interval to gather information on network connections." ], "id": "T1049", "name": "System Network Connections Discovery", @@ -6341,7 +6582,10 @@ "second stage payloads can be hosted as RAR files containing a malicious EXE and DLL on Discord servers.", "has the ability to use use Telegram channels to return a list of commands to be executed to download additional payloads or to create a reverse shell.", "uses a subdomain on the legitimate Cloudflare resource trycloudflare[.]com to obfuscate the threat actor's actual address and to tunnel information sent from victim systems.", - "has used various links such as links with typo-squatted domains links to Dropbox files and links to fake Google sites in spearphishing operations." + "has used various links such as links with typo-squatted domains links to Dropbox files and links to fake Google sites in spearphishing operations.", + "has leveraged legitimate file sharing web services to host malicious payloads.", + "can use third-party web services such as GitHub and Google Drive for C2.", + "has used DropBox URLs to deliver variants of . has also used Google Drive to host malicious downloads." ], "id": "T1102", "name": "Web Service", @@ -6369,7 +6613,8 @@ "used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.", "can use one C2 URL for first contact and to upload information about the host computer and two additional C2 URLs for getting commands.", "has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure.", - "can communicate over a unique series of connections to send and retrieve data from exploited devices." + "can communicate over a unique series of connections to send and retrieve data from exploited devices.", + "During used malware with separate channels to request and carry out tasks from C2." ], "id": "T1104", "name": "Multi-Stage Channels", @@ -6729,7 +6974,23 @@ "can identify and terminate specific services.", "has the ability to read `/proc/self/cmdline` to see if it is running as a monitored process.", "has run tasklist on a victim's machine and used infostealers to capture processes.", - "checks whether the Bitlocker Drive Encryption Tools service is running." + "checks whether the Bitlocker Drive Encryption Tools service is running.", + "During used malware capable of reading the PID for the Junos OS snmpd daemon.", + "has checked the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler. has also searched for running antivirus processes to include ESETs antivirus associated executables ekrn.exe and egui.exe.", + "has conducted process discovery to identify the malware under the process WCBrowserWatcher.exe and will launch it from an install directory if it is not found.", + "has utilized an encoded list of the processes that it detects and terminates.", + "can enumerate processes on targeted hosts.", + "has utilized MS4Killer to detect running processes on the victim device. has also captured a snapshot of active running processes using the Windows API `CreateToolHelp32Snapshot()`.", + "has used `tasklist` to gather running processes on victim host. has also leveraged the `OpenEventA` Windows API function to check whether the same process was already running.", + "has the capability to query installed programs and running processes. has also identified running processes using the Python project psutil.", + "can define specific processes to be terminated or left alone at execution.", + "has discovered running processes through `tasklist.exe`.", + "has utilized a hard-coded security tool process list that identifies and terminates using an undocumented IOCTL code 0x222094.", + "has used tasklist /v to determine active process information. has also used malware to check the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.", + "has used the PowerShell script 3CF9.ps1 to perform process discovery by executing `tasklist /v`. Additionally WsTaskLoad.exe executes `tasklist /v` to perform process discovery.", + "has run scripts to list all running processes on a guest VM from an ESXi host.", + "can gather a list of all processes running on a victim's machine. has also obtained running processes on the victim device utilizing PowerShell cmdlet `Get-Process`.", + "has detected and logged the full path of processes active in the foreground using Windows API calls." ], "id": "T1057", "name": "Process Discovery", @@ -6761,7 +7022,9 @@ "has used the commercially available tool RemoteExec for agentless remote code execution.", "has used RAdmin a remote software tool used to remotely control workstations and ATMs.", "actors used a victim's endpoint management platform Altiris for lateral movement.", - "During the threat actors used PDQ Deploy to move and tools across the network." + "During the threat actors used PDQ Deploy to move and tools across the network.", + "has leveraged legitimate software tools such as AntiVirus Agents Security Services and App Development tools to execute scripts and to side-load dlls.", + "has utilized software deployment and management solutions to deploy their encryption payload to include BigFix and PDQ Deploy." ], "id": "T1072", "name": "Software Deployment Tools", @@ -6951,7 +7214,16 @@ "exfiltrates data via HTTP over existing command and control channels.", "transmitted collected victim host information via HTTP POST to command and control infrastructure.", "can use an attacker-controlled OneDrive account to receive C2 commands and to exfiltrate files.", - "exfiltrates collected information to its command and control infrastructure." + "exfiltrates collected information to its command and control infrastructure.", + "has exfiltrated data collected from victim devices to C2 servers.", + "has exfiltrated data from compromised VMware vCenter servers through an established C2 channel using the Teleport remote access tool.", + "has exfiltrated stolen data and files to its C2 server.", + "has exfiltrated data from a compromised host to actor-controlled C2 servers.", + "has exfiltrated victim data using HTTPS POST requests to its C2 servers.", + "has sent victim data to its C2 server or RedLine panel server.", + "has used HTTP communications to the /Uploads URI for file exfiltration.", + "During threat actors exfiltrated stolen credentials and internal data over HTTPS to C2 infrastructure.", + "During uploaded specified files from compromised devices to a remote server." ], "id": "T1041", "name": "Exfiltration Over C2 Channel", @@ -7139,7 +7411,8 @@ "attack-pattern--9c306d8d-cde7-4b4c-b6e8-d0bb16caca36": { "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.", "example_uses": [ - "exploited vulnerable network appliances during leading to the collection and exfiltration of valid credentials." + "exploited vulnerable network appliances during leading to the collection and exfiltration of valid credentials.", + "exploited CVE-2022-22948 in VMware vCenter to obtain encrypted credentials from the vCenter postgresDB." ], "id": "T1212", "name": "Exploitation for Credential Access", @@ -7218,7 +7491,8 @@ "has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization. Additionally has accessed Internet service providers and telecommunication entities that provide mobile connectivity.", "has gained access to a contractor to pivot to the victims infrastructure.", "has used stolen API keys and credentials associatd with privilege access management (PAM) cloud app providers and cloud data management companies to access downstream customer environments.", - "targeted third-party entities in trusted relationships with primary targets to ultimately achieve access at primary targets. Entities targeted included DNS registrars telecommunication companies and internet service providers." + "targeted third-party entities in trusted relationships with primary targets to ultimately achieve access at primary targets. Entities targeted included DNS registrars telecommunication companies and internet service providers.", + "has used stolen API keys and credentials associated with privilege access management (PAM) cloud app providers and cloud data management companies to access downstream customer environments." ], "id": "T1199", "name": "Trusted Relationship", @@ -7256,7 +7530,8 @@ "has granted privileges to domain accounts.", "has added a user named supportaccount to the Remote Desktop Users and Administrators groups.", "has added accounts to specific groups with net localgroup.", - "has granted privileges to domain accounts and reset the password for default admin accounts." + "has granted privileges to domain accounts and reset the password for default admin accounts.", + "has added accounts to the ESX Admins group to grant them full admin rights in vSphere." ], "id": "T1098", "name": "Account Manipulation", @@ -7334,7 +7609,7 @@ ] }, "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd": { - "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.", + "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access. If an adversary guesses the correct password but fails to login to a compromised account due to location-based conditional access policies, they may change their infrastructure until they match the victims location and therefore bypass those policies.(Citation: ReliaQuest Health Care Social Engineering Campaign 2024)", "example_uses": [ "used a tool called BruteForcer to perform a brute force attack.", "dropped and executed tools used for password cracking, including Hydra.", @@ -7362,7 +7637,8 @@ "can perform brute force attacks to obtain credentials.", "used the `su-bruteforce` tool to brute force specific users using the `su` command.", "performed password brute-force attacks on the local admin account.", - "engaged in various brute forcing activities via SMB in victim environments." + "engaged in various brute forcing activities via SMB in victim environments.", + "has leveraged brute force attacks to obtain credentials." ], "id": "T1110", "name": "Brute Force", @@ -7515,7 +7791,12 @@ "During threat actors extracted sensitive credentials while moving laterally through compromised networks.", "used captured valid account information to log into victim web applications and appliances during .", "has gained access to victim environments through legitimate VPN credentials.", - "used compromised credentials to maintain long-term access to victim environments." + "used compromised credentials to maintain long-term access to victim environments.", + "has used compromised credentials for initial access.", + "During has gained access to the 3CX corporate environment through legitimate VPN credentials.", + "During used legitimate credentials to gain priviliged access to Juniper routers.", + "has utilized compromised legitimate local and domain accounts within the victim environment to facilitate remote access and lateral movement sometimes in combination with .", + "has used tools to hijack valid SSH accounts." ], "id": "T1078", "name": "Valid Accounts", @@ -7598,7 +7879,9 @@ "exploited software vulnerabilities in victim environments to escalate privileges during .", "has exploited CVE-2014-4076 CVE-2015-2387 CVE-2015-1701 CVE-2017-0263 and CVE-2022-38028 to escalate privileges.", "During threat actors downloaded a privilege escalation payload to gain root access.", - "has exploited the Windows Kernel Elevation of Privilege vulnerability CVE-2024-30088." + "has exploited the Windows Kernel Elevation of Privilege vulnerability CVE-2024-30088.", + "has leveraged MS4Killer to deliver a vulnerable driver to the victim device sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD). has utilized the vulnerable driver probmon.sys version 3.0.0.4 which had a revoked certificated from ITM System Co.LTD.", + "has exploited zero-day vulnerability CVE-2023-20867 to enable execution of privileged commands across Windows Linux and PhotonOS (vCenter) guest VMs." ], "id": "T1068", "name": "Exploitation for Privilege Escalation", @@ -7843,7 +8126,13 @@ "has used SmartAssembly to obfuscate .NET payloads.", "has used Base64 to encode malicious links.", "strings network data configuration and modules are encrypted with a modified RC4 algorithm.", - "can encrypt the names of requested APIs." + "can encrypt the names of requested APIs.", + "During the payloads use AES-256 GCM cipher to encrypt data to include ICONICSTEALER and VEILEDSIGNAL.", + "has obfuscated the fingerprint of the victim system the local IP address and the Fowler-Noll-V 1 (FNV-1) hash of the local IP address using an XOR operation. The data is then sent to the C2 server.", + "has obfuscated DLL names using the ror13AddHash32 algorithm.", + "has delivered initial payloads hidden using archives and encoding measures. has also utilized opaque predicates in payloads to hinder analysis.", + "has been delivered using self-extracting RAR archives.", + "has delivered self-extracting 7z archive files within malicious document attachments. Additionally has used an obfuscated .drv file." ], "id": "T1027", "name": "Obfuscated Files or Information", @@ -7880,7 +8169,7 @@ ] }, "attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2": { - "description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)There are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\\\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)", + "description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system.(Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443.(Citation: Didier Stevens WebDAV Traffic)(Citation: Microsoft Managing WebDAV Security)Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource, it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary-controlled server.(Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials.(Citation: Cylance Redirect to SMB)There are several different ways this can occur.(Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request.(Citation: US-CERT APT Energy Oct 2017)* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\\\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials.(Citation: US-CERT APT Energy Oct 2017)Alternatively, by leveraging the EfsRpcOpenFileRaw function, an adversary can send SMB requests to a remote system's MS-EFSRPC interface and force the victim computer to initiate an authentication procedure and share its authentication details. The Encrypting File System Remote Protocol (EFSRPC) is a protocol used in Windows networks for maintenance and management operations on encrypted data that is stored remotely to be accessed over a network. Utilization of EfsRpcOpenFileRaw function in EFSRPC is used to open an encrypted object on the server for backup or restore. Adversaries can collect this data and abuse it as part of a NTLM relay attack to gain access to remote systems on the same internal network.(Citation: Rapid7)(Citation: GitHub)", "example_uses": [ "used to launch an authentication window for users to enter their credentials.", "has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.", @@ -8046,7 +8335,8 @@ "captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.", "has used credential harvesting websites.", "has used a PowerShell script to capture user credentials after prompting a user to authenticate to run a malicious script masquerading as a legitimate update item.", - "captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during ." + "captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during .", + "has collected mouse and keyboard events using pyWinhook." ], "id": "T1056", "name": "Input Capture", @@ -8122,7 +8412,10 @@ "has exploited Office vulnerabilities during local execution such as CVE-2017-11882 and CVE-2018-0798.", "used the GrimResource exploitation technique via specially crafted MSC files for arbitrary code execution during .", "has used exploits for vulnerabilities such as CVE-2021-44228 CVE-2021-21974 and CVE-2022-0847 to achieve client code execution.", - "has exploited CVE-2024-30088 to run arbitrary code in the context of `SYSTEM`." + "has exploited CVE-2024-30088 to run arbitrary code in the context of `SYSTEM`.", + "During exploited CVE-2025-21590 to bypass Veriexec protections in Junos OS designed to prevent unauthorized binary execution.", + "has exoloited CVE-2023-34048 to enable command execution on vCenter servers and CVE-2023-20867 in VMware Tools to execute unauthenticated Guest Operations from ESXi hosts to guest VMs.", + "During the leveraged the Chrome vulnerability CVE-2022-0609 in combination with a website." ], "id": "T1203", "name": "Exploitation for Client Execution", @@ -8284,7 +8577,17 @@ "communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during .", "spawns a reverse TCP shell following an HTTP-based negotiation.", "can use the Windows Socket networking library to communicate with attacker-controlled endpoints.", - "can tunnel TCP sessions into targeted networks." + "can tunnel TCP sessions into targeted networks.", + "has used SOCKS5 over port 9050 for C2 communication.", + "has used a raw TCP connection to communicate with the C2 server.", + "has utilized TCP-based reverse shells using cmd.exe.", + "has utilized TCP-based reverse shells.", + "can communicate using TLS over raw TCP.", + "can use a custom binary protocol over TCP for C2 communication.", + "has deployed backdoors that communicate over TCP to compromised network devices and over VMCI to ESXi hosts.", + "During leveraged malware that used UDP and TCP sockets for C2.", + "has used TCP for C2 communications to target IPs or domains. contained code to support both UDP and TCP connections.", + "has established a connection with the C2 server over TCP traffic. has also created a TCP reverse shell communicating via a socket connection over ports 1245 80 2245 3001 and 5000." ], "id": "T1095", "name": "Non-Application Layer Protocol", @@ -8436,7 +8739,11 @@ "queried registry values to determine system language settings.", "queries registry values for stored configuration information.", "has queried the following registry key to check for installed Chrome extensions: ` HKCU\\Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist`.", - "has run commands such as `reg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\[service name]\\Parameters` to verify if installed implants are running as a service." + "has run commands such as `reg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\[service name]\\Parameters` to verify if installed implants are running as a service.", + "can query the Windows Registry.", + "has queried ` HKEY_CURRENT_USER\\\\Console\\\\WindowsUpdates` to obtain the C2 addresses. has queried ` HKEY_CURRENT_USER\\\\Console\\\\WindowsUpdates` to obtain the C2 addresses.", + "can check `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control SystemStartOptions` to determine if a machine is running in safe mode.", + "has queried Registry values to identify software using `reg query`." ], "id": "T1012", "name": "Query Registry", @@ -8801,7 +9108,8 @@ "has cloned legitimate websites/applications to distribute the malware.", "created dedicated web pages mimicking legitimate government websites to deliver malicious fake anti-virus software.", "has used strategic website compromise to infect victims with malware such as .", - "has used strategic website compromise for initial access against victims." + "has used strategic website compromise for initial access against victims.", + "During the compromised the `www.tradingtechnologies[.]com` website hosting a hidden IFRAME to exploit visitors two months before the site was known to deliver a compromised version of the X_TRADER software package." ], "id": "T1189", "name": "Drive-by Compromise", @@ -8880,7 +9188,8 @@ "can enable SeDebugPrivilege and adjust token privileges.", "has the ability modify access tokens.", "has retrieved process tokens for processes to adjust the privileges of the launch process or other items.", - "finds the `explorer.exe` process after execution and uses it to change the token of its executing thread." + "finds the `explorer.exe` process after execution and uses it to change the token of its executing thread.", + "can use an embedded module for token manipulation." ], "id": "T1134", "name": "Access Token Manipulation", @@ -9074,7 +9383,11 @@ "probes arbitrary network endpoints for TCP connectivity.", "can enumerate all accessible machines from the infected system.", "has used to identify remote systems.", - "used tools such as to identify remotely-connected devices." + "used tools such as to identify remotely-connected devices.", + "has queried Active Directory for computers using . has also utilized SharpNBTScan to scan the victim environment.", + "has used PDQ Inventory to get an inventory of the endpoints on the network.", + "can enumerate domain-connected hosts during its discovery phase.", + "features a module capable of host enumeration." ], "id": "T1018", "name": "Remote System Discovery", @@ -9154,7 +9467,9 @@ "has used tools such as NetScan to enumerate network services in victim environments.", "identifies remote systems via active directory queries for hostnames prior to launching remote ransomware payloads.", "To collect data on the host's Wi-Fi connection history reads the `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist file`.It also utilizes Apple's CWWiFiClient API to scan for nearby Wi-Fi networks and obtain data on the SSID security type and RSSI (signal strength) values.", - "has used port scanners to enumerate services on remote hosts." + "has used port scanners to enumerate services on remote hosts.", + "has leveraged to scan IP networks.", + "has the capability to use living off the land (LOTL) binaries to perform network enumeration. has also utilized the publicly available scanning tool SoftPerfect Network Scanner (`netscan.exe`) to discover device hostnames and network services." ], "id": "T1046", "name": "Network Service Discovery", @@ -9667,7 +9982,21 @@ "During threat actors downloaded and executed the XMRig miner on targeted hosts.", "installers have used obfuscated PowerShell scripts to retrieve follow-on payloads from WebDAV servers.", "can download additional files to the victim machine.", - "has the ability to download additional content onto an infected machine e.g. by using `curl`." + "has the ability to download additional content onto an infected machine e.g. by using `curl`.", + "has acted as a stager that can download the next-stage payload from its C2 server. has also delivered FDMTP as a secondary control tool and PTSOCKET for exfiltration to some infected systems.", + "has downloaded the Teleport remote access tool to compromised VMware vCenter Servers.", + "can transfer files to compromised network devices.", + "has been used to download a malicious payload to include .", + "has downloaded AnyDesk.exe into the users home directory from the C2 server when checks for the service fail to identify its presence in the victim environment. has also been configured to download additional payloads using a command which calls to the /bow URI.", + "has the ability to upload files to infected systems.", + "has the ability to download additional files to the victim device.", + "has leveraged PowerShell and Windows Command to download additional tools to include RMM services. has also engaged in Bring Your Own Vulnerable Driver (BYOVD) and downloaded vulnerable or signed drivers to the victim environment to disable security tools.", + "has the ability download additional payloads.", + "has downloaded additional binaries from a remote File Transfer Protocol (FTP) server to compromised devices.", + "has been used to download a malicious payload to include Python based malware .", + "has downloaded additional executables following the initial infection stage. has also leveraged Visual Studio Code `code.exe` and Dev Tunnels using `DevTunnel.exe` to propagate additional tools and payloads.", + "During used backdoor malware capable of downloading files to compromised infrastructure.", + "During threat actors used a loader to download and execute ransomware." ], "id": "T1105", "name": "Ingress Tool Transfer", @@ -9803,7 +10132,8 @@ "Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.", "can switch to an alternate C2 domain when a particular date has been reached.", "can use a list of C2 URLs as fallback mechanisms in case one IP or domain gets blocked.", - "can use a backup channel to request a new refresh token from its C2 server after 10 consecutive unsuccessful connections to the primary OneDrive C2 server." + "can use a backup channel to request a new refresh token from its C2 server after 10 consecutive unsuccessful connections to the primary OneDrive C2 server.", + "has employed layers of redundancy to maintain access to compromised environments including network devices hypervisors and virtual machines." ], "id": "T1008", "name": "Fallback Channels", @@ -9917,7 +10247,15 @@ "can identify the system local time information.", "will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past the wiper will execute immediately.", "reads the infected system's current time and writes it to a log file during execution.", - "retrieves a system timestamp that is used in generating an encryption key." + "retrieves a system timestamp that is used in generating an encryption key.", + "has identified system time through its GetSystemInfo command.", + "has utilized the windows API call `GetLocalTime()` to retrieve a SystemTime structure to generate a seed value.", + "has obtained and sent the current timestamp associated with the victim device to C2.", + "has used the PowerShell script 3CF9.ps1 to execute `net time`.", + "has used installation scripts to collect the system time on targeted ESXi hosts.", + "has discovered device uptime through `GetTickCount()`.", + "has collected the machines tick count through the use of `GetTickCount`.", + "has collected a timestamp to log the precise time a key was pressed formatted as %Y-%m-%d %H:%M:%S." ], "id": "T1124", "name": "System Time Discovery", @@ -13207,7 +13545,8 @@ "has used and the KillDisk component to overwrite files on victim systems. Additionally has used the JUNKMAIL tool to overwrite files with null bytes.", "initially masqueraded as ransomware but actual functionality is a data destruction tool supported by an internal name linked to an early version wiper-action. writes random data to original files after an encrypted copy is created along with resizing the original file to zero and changing time property metadata before finally deleting the original file.", "can initiate a destructive payload depending on the operating system check through resizing and reformatting portions of the victim machine's disk leading to system instability and potential data corruption.", - "can perform an in-depth wipe of victim filesystems and attached storage devices through either data overwrite or calling various IOCTLS to erase them similar to ." + "can perform an in-depth wipe of victim filesystems and attached storage devices through either data overwrite or calling various IOCTLS to erase them similar to .", + "has destroyed data and backup files." ] }, "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0": { @@ -13297,7 +13636,15 @@ "can use standard AES and elliptic-curve cryptography algorithms to encrypt victim data.", "has encrypted victim files for ransom. Early versions of BlackByte ransomware used a common key for encryption but later versions use unique keys per victim.", "can encrypt files on targeted Windows hosts leaving them with a .powerranges file extension.", - "can encrypt victim filesystems for financial extortion purposes including through the use of the ChaCha20 and ChaCha8 stream ciphers." + "can encrypt victim filesystems for financial extortion purposes including through the use of the ChaCha20 and ChaCha8 stream ciphers.", + "has used and DragonForce ransomware to encrypt files including on VMWare ESXi servers.", + "has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware. Additionally has deployed ransomware as the end payload during big game hunting.", + "has encrypted files in victim environments using ransomware as a service (RaaS) including Sabbath Hive Hunters International and ransomware.", + "can use AES-256 or ChaCha20 for domain-wide encryption of victim servers and workstations and RSA-4096 or RSA-2048 to secure generated encryption keys.", + "During threat actors deployed ransomware including 4L4MD4R and Warlock.", + "has encrypted files using AES-256 encryption which then appends the file extension .medusa to encrypted files and leaves a ransomware note named !READ_ME_MEDUSA!!!.txt.", + "has encrypted files on victim networks through the generation of ransomware payloads.", + "has the ability to encrypt files with the ChaCha20 and Curve25519 cryptographic algorithms. also has the ability to encrypt system data and add a random six-letter extension consisting of hexadecimal characters such as .b58eeb or .3d828a to encrypted files." ] }, "attack-pattern--5909f20f-3c39-4795-be06-ef1ea40d350b": { @@ -13377,7 +13724,8 @@ "enumerated Active Directory information and trust relationships during operations.", "performed Active Directory enumeration of victim environments during .", "has used tools such as to make Active Directory queries.", - "has enumerated domain accounts and access during intrusions." + "has enumerated domain accounts and access during intrusions.", + "has used Windows native utility `nltest.exe` for discovery." ] }, "attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4": { @@ -13435,7 +13783,11 @@ "uses a servicemain function to verify its environment to ensure it can only be executed as a service as well as the existence of a configuration file in a specified directory.", "stopped execution if identified language settings on victim machines was Russian or one of several language associated with former Soviet republics. has used ransomware variants requiring a key passed on the command line for the malware to execute.", "verifies it is executing from a specific path during execution.", - "will fail to execute if the targeted `/vmfs/volumes/` path does not exist or is not defined." + "will fail to execute if the targeted `/vmfs/volumes/` path does not exist or is not defined.", + "has an exception handler that executes when ESET antivirus applications `ekrn.exe` and `egui.exe` are not found and directly injects its code into waitfor.exe using Native Windows API including `WriteProcessMemory` and `CreateRemoteThreadEx`.", + "can require a specific password to be passed by command-line argument during execution which must match a pre-defined value in the configuration in order for it to continue execution.", + "has built in settings to not operate based on geolocation or country of the victim host.", + "has configured C2 endpoints to review IP geolocation request headers victim environment details and runtime conditions prior to delivering payloads." ] }, "attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89": { @@ -13517,7 +13869,12 @@ "resized and deleted volume shadow copy files to prevent system recovery after encryption.", "has used `vssadmin.exe` to delete volume shadow copies.", "can delete volume shadow copies.", - "has the ability to delete volume shadow copies on targeted hosts." + "has the ability to delete volume shadow copies on targeted hosts.", + "has deleted recovery files such as shadow copies using `vssadmin.exe`.", + "has deleted snapshots restore points storage accounts and backup services to prevent remediation and restoration. has also impacted Azure resources through the targeting of `Microsoft.Compute/snapshots/delete``Microsoft.Compute/restorePointCollections/delete``Microsoft.Storage/storageAccounts/delete` and `Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete`.", + "has cleared files from the recycle bin by invoking `SHEmptyRecycleBinW()` and disabled Windows recovery through `C:\\Windows\\System32\\cmd.exe /q /c bcdedit /set {default} recoveryenabled no`.", + "has stopped the Volume Shadow Copy service on compromised hosts.", + "can execute `vssadmin.exe delete shadows /all /quiet` to remove volume shadow copies." ] }, "attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab": { @@ -13575,7 +13932,7 @@ "similar_words": [ "Service Stop" ], - "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible.(Citation: Novetta Blockbuster) In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server, or on virtual machines hosted on ESXi infrastructure.(Citation: SecureWorks WannaCry Analysis)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)", + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible.(Citation: Novetta Blockbuster) In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server, or on virtual machines hosted on ESXi infrastructure.(Citation: SecureWorks WannaCry Analysis)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)Threat actors may also disable or stop service in cloud environments. For example, by leveraging the `DisableAPIServiceAccess` API in AWS, a threat actor may prevent the service from creating service-linked roles on new accounts in the AWS Organization.(Citation: Datadog Security Labs Cloud Persistence 2025)(Citation: AWS DisableAWSServiceAccess)", "example_uses": [ "can kill several processes and services related to backups and security solutions.", "can kill processes and delete services.", @@ -13620,7 +13977,13 @@ "can terminate running services.", "can terminate targeted processes and services related to security backup database management and other applications that could stop or interfere with encryption.", "has the ability to terminate specified services.", - "can stop running virtual machines." + "can stop running virtual machines.", + "has terminated services related to backups security databases communication filesharing and websites.", + "has terminated active processes and services based on a hardcoded list using the `CloseServiceHandle()` function. has also leveraged MS4Killer to terminate processes contained in an embedded list of security software process names that were XOR-encrypted.", + "can terminate specific services on compromised hosts.", + "has the capability to terminate services related to backups security databases communication filesharing and websites. has also utilized the `taskkill /F /IM /T` command to stop targeted processes and `net stop ` command to stop designated services.", + "can start and stop the `vmsyslogd` service.", + "has terminated Chrome and Brave browsers using the `taskkill` command on Windows and the `killall` command on other systems such as Linux and macOS. has also utilized its `ssh_kill` command to terminate Chrome and Brave browser processes." ] }, "attack-pattern--0bf78622-e8d2-41da-a857-731472d61a92": { @@ -13685,7 +14048,9 @@ "contains several anti-analysis and anti-virtualization checks.", "contains real and fake second-stage payloads following initial execution with the real payload only delivered if the malware determines it is not running in a virtualized environment.", "can utilize decoy command and control domains within the malware configuration to circumvent sandbox analysis.", - "payloads have used control flow obfuscation techniques such as excessively long code blocks of mathematical instructions to defeat sandboxing and related analysis methods." + "payloads have used control flow obfuscation techniques such as excessively long code blocks of mathematical instructions to defeat sandboxing and related analysis methods.", + "has requested victims to disable Docker and other container environments in attempts to thwart container isolation and ensure device infection.", + "has an anti-sandbox technique that requires the malware to consistently check with the C2 server if the communication fails will not continue execution." ] }, "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8": { @@ -14113,7 +14478,7 @@ "EmPyre", "PowerShell Empire" ], - "description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)", + "description": "[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)", "example_uses": [] }, "tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973": { @@ -14382,7 +14747,21 @@ "creates a schedule task to execute remotely deployed ransomware payloads.", "has used scheduled tasks for persistence.", "has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence. Additionally has used living-off-the-land scripts to execute a malicious script via a scheduled task.", - "can create a scheduled task to run every 32 seconds to communicate with C2 and execute received commands." + "can create a scheduled task to run every 32 seconds to communicate with C2 and execute received commands.", + "During threat actors used scheduled tasks to help establish persistence.", + "malware has created scheduled tasks to establish persistence. Specifically has used OpenSSH to establish persistence.", + "has created a scheduled task to execute additional malicious software as well as maintain persistence. has also created a scheduled task that creates a reverse shell.", + "has created scheduled tasks to maintain persistence.", + "has create a scheduled task named `Mozilla\\Firefox Default Browser Agent 409046Z0FF4A39CB` for persistence.", + "had used a scheduled task named SysUpdate that was registered via GPO on devices in the network to distribute the ransomware.", + "has created scheduled tasks to maintain persistence with the command `schtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR C:\\\\Users\\\\Public\\\\Libraries\\...`", + "has pushed scheduled tasks via GPO for execution.", + "used the command schtasks /Create /SC ONLOgon /TN WindowsUpdateCheck /TR [file path] /ru system for persistence.", + "has achieved persistence through the creation of a scheduled task named TableInputServices by using the command `schtasks /create /tn TabletlnputServices /tr /sc minute /mo 10 /f`.", + "schedules the execution one of its modules by creating a new scheduler task.", + "has obtained persistence of the loader MDeployer by creating a scheduled task named Perf_sys.", + "has created scheduled tasks that execute the loader every five(5) minutes using `schtasks /F /Create /TN \\\\ /SC minute /MO 5 /TR\\C:\\\\ProgramData\\\\ \\`.", + "has downloaded additional malware with scheduled tasks. has established persistence by creating a scheduled task named ChromeUpdateTaskMachine through the PowerShell cmdlet `Register-ScheduleTask` which was set to execute another PowerShell script once then five minutes after its creation and periodically repeat every 30 minutes." ], "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team)An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)Adversaries may also create \"hidden\" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) ", "similar_words": [ @@ -14395,7 +14774,8 @@ "example_uses": [ "can listen and evaluate incoming commands on the domain socket created by PITHOOK malware located at `/data/runtime/cockpit/wd.fd` for a predefined magic byte sequence. can then duplicate the socket for further communication over TLS.", "installs a `TCP` and `UDP` filter on the `eth0` interface.", - "uses BPF bytecode to attach a filter to a network socket to view ICMP UDP or TCP packets coming through ports 22 (ssh) 80 (http) and 443 (https). When finds a packet containing its magic bytes it parses out two fields and forks itself. The parent process continues to monitor filtered traffic while the child process executes the instructions from the parsed fields." + "uses BPF bytecode to attach a filter to a network socket to view ICMP UDP or TCP packets coming through ports 22 (ssh) 80 (http) and 443 (https). When finds a packet containing its magic bytes it parses out two fields and forks itself. The parent process continues to monitor filtered traffic while the child process executes the instructions from the parsed fields.", + "can listen for a specialized ICMP packet for activation on compromised network devices." ], "description": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.(Citation: haking9 libpcap network sniffing) Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with [Protocol Tunneling](https://attack.mitre.org/techniques/T1572).(Citation: exatrack bpf filters passive backdoors)(Citation: Leonardo Turla Penquin May 2020)Filters can be installed on any Unix-like platform with `libpcap` installed or on Windows hosts using `Winpcap`. Adversaries may use either `libpcap` with `pcap_setfilter` or the standard library function `setsockopt` with `SO_ATTACH_FILTER` options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.", "similar_words": [ @@ -14480,7 +14860,13 @@ "used the tar utility to create a local archive of email data on a victim system.", "can gzip compress files uploaded to a shared mailbox used for C2 and exfiltration.", "has used WinRAR for compressing data in RAR format.", - "has archived collected materials in RAR format." + "has archived collected materials in RAR format.", + "has used RAR to create password-protected archives of collected documents prior to exfiltration. has used WinRAR Rar.exe to archive stolen files before exfiltration. has also used and post-exploitation tools such as RemCom and to execute WinRAR `rar.exe` to archive files for exfiltration.", + "has collected and archived sensitive data in a zip file.", + "has used utilities such as `WinRAR` to archive data prior to exfiltration.", + "has used Gzip and the Windows command `makecab` to compress files and stolen credentials from victim systems.", + "has used 7zip RAR and zip files to archive collected data for exfiltration.", + "used WinRAR rar.exe to archive files for exfiltration. has also utilized a unique 13-character password consisting of upper lower case and digits to protect RAR archives." ], "description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)", "similar_words": [ @@ -14541,9 +14927,10 @@ "has stored its encrypted payload in the Registry under `HKLM\\SOFTWARE\\Microsoft\\Print\\Components\\`.", "can save encryption parameters and system information in the Registry.", "stores configuration values under the Registry key HKCU\\Software\\Microsoft\\[dllname].", - "Some versions of build the final PE payload in memory to avoid writing contents to disk on the executing machine." + "Some versions of build the final PE payload in memory to avoid writing contents to disk on the executing machine.", + "has infected victim network devices by storing artifacts in the /tmp directory which is volatile in memory and will clear its contents upon shutdown or restart." ], - "description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock` may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ", + "description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).Similar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)Adversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. Some forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ", "similar_words": [ "Fileless Storage" ], @@ -14557,7 +14944,8 @@ "opens a new network listener for the mpnotify.exe process that is typically contacted by the Winlogon process in Windows. A new alternative RPC channel is set up with a malicious DLL recording plaintext credentials entered into Winlogon effectively intercepting and redirecting the logon information.", "included interception of HTTP traffic to victim devices to identify and parse command and control information sent to the device.", "intercepts HTTP requests to the victim Cisco ASA looking for a request with a 32-character victim dependent parameter. If that parameter matches a value in the malware a contained payload is then written to a Lua script and executed.", - "modified DNS records at service providers to redirect traffic from legitimate resources to -controlled servers to enable adversary-in-the-middle attacks for credential capture." + "modified DNS records at service providers to redirect traffic from legitimate resources to -controlled servers to enable adversary-in-the-middle attacks for credential capture.", + "leveraged a captive portal hijack that redirected the victim to a webpage that prompted the victim to download a malicious payload." ], "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://attack.mitre.org/techniques/T1528)) and session cookies ([Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", "similar_words": [ @@ -14574,7 +14962,8 @@ "has purchased access to victim VPNs to facilitate access to victim environments.", "typically uses commercial VPN services for anonymizing last-hop traffic to victim networks such as ProtonVPN.", "has used HubSpot and MailerLite marketing platform services to hide the true sender of phishing emails.", - "accessed victim networks from VPN service provider networks." + "accessed victim networks from VPN service provider networks.", + "has used services such as Astrill VPN." ], "description": "Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", "similar_words": [ @@ -14685,9 +15074,11 @@ "utilizes rundll32.exe to execute the final payload using the named exports `Crash` or `Limit` depending on the variant.", "is a Windows DLL file executed via ordinal by `rundll32.exe`.", "DLL payloads have been executed via `rundll32.exe`.", - "is dropped as a DLL file and executed via `rundll32.exe` by its installer." + "is dropped as a DLL file and executed via `rundll32.exe` by its installer.", + "has used rundll32.exe to execute MiniDump for dumping LSASS process memory.", + "has launched Beacon files with rundll32.exe." ], - "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002) can be proxied through Rundll32.exe.Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) ", + "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002) can be proxied through Rundll32.exe.Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks.(Citation: This is Security Command Line Confusion)Threat actors may also abuse legitimate, signed system DLLs (e.g., zipfldr.dll, ieframe.dll) with rundll32.exe to execute malicious programs or scripts indirectly, making their activity appear more legitimate and evading detection.(Citation: lolbas project Zipfldr.dll)(Citation: lolbas project Ieframe.dll)Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) ", "similar_words": [ "Rundll32" ], @@ -14838,7 +15229,8 @@ "utilizes JSON objects to send and receive information from command and control nodes.", "can Base64-encode C2 communication.", "can Base64-encode and gzip compress C2 communications including command outputs.", - "can receive Base64-encoded commands from C2." + "can receive Base64-encoded commands from C2.", + "has used Base64 to encode command and control traffic." ], "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.", "similar_words": [ @@ -14871,7 +15263,8 @@ "decrypts and executes an embedded payload.", "contains additional embedded DLLs and configuration files that are loaded into memory during execution.", "embedded payloads in trojanized software for follow-on execution.", - "has distributed malicious payloads embedded in PNG files." + "has distributed malicious payloads embedded in PNG files.", + "During the uses embedded .dll as apart of a chained delivery mechanism to invoke the COM class factory." ], "description": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) Adversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) Embedded content may also be used as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)", "similar_words": [ @@ -15069,7 +15462,13 @@ "has the ability to support keylogging.", "can capture keystrokes from the victim machine.", "has employed keyloggers including KEYPUNCH and LONGWATCH.", - "has used custom malware to log keystrokes." + "has used custom malware to log keystrokes.", + "has utilized a cross-platform keylogger that has the capability to capture keystrokes on Windows macOS and Linux systems.", + "has captured keystrokes using Windows API.", + "has captured keystrokes.", + "has capabilities to conduct keylogging.", + "has conducted keylogging using the Python project pyWinHook and Pyhook. has also captured keylogging thread checks for changes in an active window and key presses.", + "has used its KBLogger.dll module to capture keystrokes and stored them in a folder." ], "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.* Reading raw keystroke data from the hardware buffer.* Windows Registry modifications.* Custom drivers.* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", "similar_words": [ @@ -15233,7 +15632,9 @@ }, "attack-pattern--0cc222f5-c3ff-48e6-9f52-3314baf9d37e": { "name": "Artificial Intelligence", - "example_uses": [], + "example_uses": [ + "has appeared to have used AI to generate images and content to facilitate their campaigns." + ], "description": "Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI) For example, by utilizing a publicly available LLM an adversary is essentially outsourcing or automating certain tasks to the tool. Using AI, the adversary may draft and generate content in a variety of written languages to be used in [Phishing](https://attack.mitre.org/techniques/T1566)/[Phishing for Information](https://attack.mitre.org/techniques/T1598) campaigns. The same publicly available tool may further enable vulnerability or other offensive research supporting [Develop Capabilities](https://attack.mitre.org/techniques/T1587). AI tools may also automate technical tasks by generating, refining, or otherwise enhancing (e.g., [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)) malicious scripts and payloads.(Citation: OpenAI-CTI) Finally, AI-generated text, images, audio, and video may be used for fraud, [Impersonation](https://attack.mitre.org/techniques/T1656), and other malicious activities.(Citation: Google-Vishing24)(Citation: IC3-AI24)(Citation: WSJ-Vishing-AI24)", "similar_words": [ "Artificial Intelligence" @@ -15481,7 +15882,24 @@ "During deployed VBS droppers with obfuscated strings.", "has used AES-encrypted payloads contained within PowerShell scripts.", "Older variants use `xxd` to encode modules. Later versions pass an `xxd` or `base64` encoded blob through multiple decoding stages to reconstruct the module name AppleScript or shell command. For example the initial network request uses three layers of hex decoding before executing a curl command in a shell.", - "utilizes AES-256 (CBC mode) XOR and RSA-2048 encryption schemas for various configuration and other objects." + "utilizes AES-256 (CBC mode) XOR and RSA-2048 encryption schemas for various configuration and other objects.", + "can employ several code obfuscation methods including renaming functions altering control flows and encrypting strings.", + "has utilized a simple encoding mechanism to encode characters in the buffer.", + "has utilized XOR encrypted strings.", + "can XOR encrypt configuration strings.", + "can encrypt configuration files with a custom ChaCha20 algorithm.", + "has also utilized XOR encrypted payload.", + "has obfuscated strings of code with Base64 encoding within the JavaScript version of the malware. has also utilized the open-source tool JavaScript-Obfuscator to obfuscate strings and functions.", + "has encrypted collected contents using RC4. has also utilized XOR encrypted strings.", + "has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.", + "has encrypted and encoded configuration data with Base64 and XOR functions.", + "has encrypted both MDeployer and MS4 Killer payloads with RC4.", + "has used hexadecimal string encoding to hide critical JavaScript module names function names and C2 URLs which are decoded dynamically at runtime.", + "has utilized Base64 encoding to obfuscate its payload.", + "During the encrypts its dynamic library files (.dll) using RC4 and when loaded only decrypts specific portions of the file using the key `3jB(2bsG#@c7`.", + "During generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices.", + "has utilized the XOR and Base64 encoding for each of its modules. has also obfuscated files with a combination of zlib Base64 and reverse string order. has also utilized the XOR and Base64 encoding some of its Python scripts.", + "has leveraged XOR encryption with the key of 123456789." ], "description": "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File) Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.", "similar_words": [ @@ -15583,7 +16001,10 @@ "has used JavaScript to redirect victim traffic from an adversary controlled server to a server hosting the Evilginx phishing framework.", "is distributed as a JavaScript launcher file.", "has been distributed as a malicious JavaScript object.", - "has used JScript for logging and downloading additional tools. has used which contained four Javascript files for bypassing defenses collecting sensitive information and screenshots and exfiltrating data." + "has used JScript for logging and downloading additional tools. has used which contained four Javascript files for bypassing defenses collecting sensitive information and screenshots and exfiltrating data.", + "has executed malicious JavaScript code. has also been compiled with the Qt framework to execute in both Windows and macOS.", + "has leveraged JavaScript in the execution of their downloader malware targeting Windows devices using a NodeJS script titled nvidia.js.", + "has executed a JavaScript payload utilizing wscript.exe on the endpoint." ], "description": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apples Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apples OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apples internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).", "similar_words": [ @@ -15651,7 +16072,8 @@ "has exfiltrated updated cookies from Google Naver Kakao or Daum to the C2 server.", "attempts to steal Opera cookies if present after terminating the related process.", "has harvested cookies from various browsers.", - "has used custom malware to steal login and cookie data from common browsers." + "has used custom malware to steal login and cookie data from common browsers.", + "has stolen browser cookies and settings." ], "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.", "similar_words": [ @@ -15706,7 +16128,8 @@ "masquerades malicious LNK files as PDF objects using the double extension .pdf.lnk.", "The loader has used dual-extension executable files such as PreviewReport.DOC.exe.", "has used an additional filename extension to hide the true file type.", - "has used an executable named `companycatalog.exe.config` to appear benign." + "has used an executable named `companycatalog.exe.config` to appear benign.", + "has used an additional filename extension to hide the true file type. has also masqueraded malicious LNK files as PDF objects using the double extension .pdf.lnk." ], "description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the systems policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a users system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.", "similar_words": [ @@ -15775,7 +16198,9 @@ "can bypass UAC to execute code with elevated privileges through an elevated Component Object Model (COM) interface.", "has used the legitimate application `ieinstal.exe` to bypass UAC.", "can bypass UAC through creating the Registry key `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration`.", - "can leverage multiple techniques to bypass User Account Control (UAC) on Windows systems." + "can leverage multiple techniques to bypass User Account Control (UAC) on Windows systems.", + "can bypass standard user access controls by using stolen tokens to launch processes at an elevated security context.", + "has attempted to bypass UAC using Component Object Model (COM) interface." ], "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)", "similar_words": [ @@ -15809,9 +16234,12 @@ "has used tracert to check internet connectivity.", "has used the command to check connectivity to actor-controlled C2 servers.", "has employed to check network connectivity.", - "has performed checks to determine if a victim machine is able to access the Internet." + "has performed checks to determine if a victim machine is able to access the Internet.", + "has tested connectivity between a compromised machine and a C2 server using with commands such as `CSIDL_SYSTEM\\cmd.exe /c ping -n 1`. has searched the ping records to obtain the C2 address and has used ping to search for the C2s status.", + "The demon can check for a connection to the C2 server from the target machine.", + "has identified internet connectivity details through commands such as `tracert -h 5 -4 google.com` and `curl http://myip.ipip.net`." ], - "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites.Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.", + "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites, or performing initial speed testing to confirm bandwidth.Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.", "similar_words": [ "Internet Connection Discovery" ], @@ -15870,7 +16298,8 @@ "saves system information into an XML file that is then XOR-encoded.", "A malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.", "employs the same encoding scheme as for data it stages. Data is compressed with zlib and bytes are rotated four times before being XOR'ed with 0x23.", - "has used custom tools to compress and archive data on victim systems." + "has used custom tools to compress and archive data on victim systems.", + "has XOR encrypted and Gzip compressed captured credentials." ], "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)", "similar_words": [ @@ -15897,9 +16326,10 @@ "focuses on compromise of small office-home office (SOHO) network devices to build the subsequent botnet.", "used compromised small office/home office (SOHO) devices to interact with vulnerable Versa Director servers.", "has compromised network routers and IoT devices for the ORB network.", - "has used compromised networking devices such as small office/home office (SOHO) devices as operational command and control infrastructure." + "has used compromised networking devices such as small office/home office (SOHO) devices as operational command and control infrastructure.", + "has compromised network devices such as IP cameras Network Attached Storage (NAS) devices and SOHO routers to leverage for follow-on activity." ], - "description": "Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (i.e., [Link Target](https://attack.mitre.org/techniques/T1608/005)) or enabling the required access to execute [Content Injection](https://attack.mitre.org/techniques/T1659) operations. Adversaries may also be able to harvest reusable credentials (i.e., [Valid Accounts](https://attack.mitre.org/techniques/T1078)) from compromised network devices.Adversaries often target Internet-facing edge devices and related network appliances that specifically do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)Compromised network devices may be used to support subsequent [Command and Control](https://attack.mitre.org/tactics/TA0011) activity, such as [Hide Infrastructure](https://attack.mitre.org/techniques/T1665) through an established [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Botnet](https://attack.mitre.org/techniques/T1584/005) network.(Citation: Justice GRU 2024)", + "description": "Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment, but rather to leverage these devices to support additional targeting.Once an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (i.e., [Link Target](https://attack.mitre.org/techniques/T1608/005)) or enabling the required access to execute [Content Injection](https://attack.mitre.org/techniques/T1659) operations. Adversaries may also be able to harvest reusable credentials (i.e., [Valid Accounts](https://attack.mitre.org/techniques/T1078)) from compromised network devices.Adversaries often target Internet-facing edge devices and related network appliances that specifically do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)Compromised network devices may be used to support subsequent [Command and Control](https://attack.mitre.org/tactics/TA0011) activity, such as [Hide Infrastructure](https://attack.mitre.org/techniques/T1665) through an established [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Botnet](https://attack.mitre.org/techniques/T1584/005) network.(Citation: Justice GRU 2024)", "similar_words": [ "Network Devices" ], @@ -16020,7 +16450,7 @@ "example_uses": [ "During the threat actors used a batch file that modified the COMSysApp service to load a malicious ipnet.dll payload and to load a DLL into the `svchost.exe` process." ], - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).Adversaries may also alter other Registry keys in the services Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)The Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the services Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)Adversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the services file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.(Citation: malware_hides_service)", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).Adversaries may also alter other Registry keys in the services Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)The Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the services Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)Adversaries may also add the Parameters key, which can reference malicious drivers file paths. This technique has been identified to be a method of abuse by configuring DLL file paths within the Parameters key of a given services registry configuration. By placing and configuring the Parameters key to reference a malicious DLL, adversaries can ensure that their code is loaded persistently whenever the associated service or library is invoked.For example, the registry path(Citation: MDSec) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters(Citation: hexacorn)(Citation: gendigital) contains the AutodiaDLL value, which specifies the DLL to be loaded for autodial funcitionality. An adversary could set the AutodiaDLL to point to a hijacked or malicious DLL:\"AutodialDLL\"=\"c:\\temp\\foo.dll\"This ensures persistence, as it causes the DLL (in this case, foo.dll) to be loaded each time the Winsock 2 library is invoked.", "similar_words": [ "Services Registry Permissions Weakness" ], @@ -16047,9 +16477,10 @@ "attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720": { "name": "Compromise Software Dependencies and Development Tools", "example_uses": [ - "adds malicious code to a host's Xcode projects by enumerating CocoaPods target_integrator.rb files under the /Library/Ruby/Gems folder or enumerates all .xcodeproj folders under a given directory. then downloads a script and Mach-O file into the Xcode project folder." + "adds malicious code to a host's Xcode projects by enumerating CocoaPods target_integrator.rb files under the /Library/Ruby/Gems folder or enumerates all .xcodeproj folders under a given directory. then downloads a script and Mach-O file into the Xcode project folder.", + "has been hosted on code repositories and disseminated to victims through NPM packages." ], - "description": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise) Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. ", + "description": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)(Citation: Bitdefender NPM Repositories Compromised 2021)(Citation: MANDVI Malicious npm and PyPI Packages Disguised) This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries.(Citation: The Hacker News PyPi Revival Hijack 2024) Adversaries may also employ \"typosquatting\" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.(Citation: Ahmed Backdoors in Python and NPM Packages)(Citation: Meyer PyPI Supply Chain Attack Uncovered)(Citation: Checkmarx-oss-seo)Additionally, CI/CD pipeline components, such as GitHub Actions, may be targeted in order to gain access to the building, testing, and deployment cycles of an application.(Citation: Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025) By adding malicious code into a GitHub action, a threat actor may be able to collect runtime credentials (e.g., via [Proc Filesystem](https://attack.mitre.org/techniques/T1003/007)) or insert further malicious components into the build pipelines for a second-order supply chain compromise.(Citation: OWASP CICD-SEC-4) As GitHub Actions are often dependent on other GitHub Actions, threat actors may be able to infect a large number of repositories via the compromise of a single Action.(Citation: Palo Alto Networks GitHub Actions Worm 2023)Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. ", "similar_words": [ "Compromise Software Dependencies and Development Tools" ], @@ -16065,7 +16496,8 @@ "has used valid stolen digital certificates for some of their malware and tools.", "included the use of digital certificates spoofing Microsoft.", "created new certificates using a technique called the actors performed certificate impersonation a technique in which obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization.", - "acquired Cloudflare Origin CA TLS certificates during ." + "acquired Cloudflare Origin CA TLS certificates during .", + "has deployed malware using the victim's legitimate TLS certificate obtained from a compromised FortiGate device." ], "description": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.Certificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)After obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.", "similar_words": [ @@ -16152,7 +16584,7 @@ "has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by is contained in the part of the character string prior to the first . character.", "has used DNS tunnelling tools such as dnscat/2 and Iodine for C2 purposes." ], - "description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) ", + "description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)DNS beaconing may be used to send commands to remote systems via DNS queries. A DNS beacon is created by tunneling DNS traffic (i.e.[Protocol Tunneling](https://attack.mitre.org/techniques/T1572)). The commands may be embedded into different DNS records, for example, TXT or A records.(Citation: OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government) DNS beacons may be difficult to detect because the beacons infrequently communicate with infected devices.(Citation: DNS Beacons) Infrequent communication conceals the malicious DNS traffic with normal DNS traffic. ", "similar_words": [ "DNS" ], @@ -16220,7 +16652,9 @@ }, "attack-pattern--1bae753e-8e52-4055-a66d-2ead90303ca9": { "name": "Mavinject", - "example_uses": [], + "example_uses": [ + "has injected its malicious payload into a running process through Windows utility Microsoft Application Virtualization Injector `MAVInject.exe`." + ], "description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. In addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)", "similar_words": [ "Mavinject" @@ -16349,7 +16783,15 @@ "can log the output from C2 commands in an encrypted and compressed format on disk prior to exfiltration.", "During threat actors copied files to the web application folder on compromised devices for exfiltration.", "gathers host information and stages it locally as a RAR file prior to exfiltration. stores logged data in an encrypted file located at `%TEMP%/TS_FB56.tmp` during execution.", - "can stage files in the `tempFiles` directory for exfiltration." + "can stage files in the `tempFiles` directory for exfiltration.", + "has staged captured credentials in `var/log/ldapd.2.gz`.", + "has staged collected data to the systems temporary directory.", + "has collected and staged the victims computer files for exfiltration.", + "During threat actors staged stolen data from web.config files to debug_dev.js.", + "has stored the captured data in a file located `C:\\\\Users\\\\Public\\\\Libraries\\\\record.txt`.", + "has stored the captured data in an encrypted file using a 48-character RC4 key.", + "has staged data in consolidated folders prior to exfiltration.", + "can stage the output from executed C2 commands to a temporary file." ], "description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)", "similar_words": [ @@ -16554,7 +16996,21 @@ "has been named `GoogleTranslate.crx` to masquerade as a legitimate Chrome extension.", "has named a downloaded copy of the Plink tunneling utility as \\ProgramData\\Adobe.exe.", "is installed through droppers masquerading as legitimate signed software installers.", - "used a malicious DLL `iviewers.dll` that mimics the legitimate OLE/COM Object Viewer within Windows." + "used a malicious DLL `iviewers.dll` that mimics the legitimate OLE/COM Object Viewer within Windows.", + "has renamed malicious files to mimic legitimate file names and file extensions. has also masqueraded as legitimate file names to include LogMeIn.dll.", + "has used legitimate process names to hide malware including svchosst. Additionally disguised malicious ZIP archives as Office documents that are related to the invasion.", + "has attempted to run Darkside ransomware with the filename sleep.exe. Additionally has mimicked WsTaskLoad.exe which is associated with the Wondershare software suite by using a malicious executable under the same name.", + "has leveraged naming conventions of its malicious DLL to match legitimate services to include cnmpaui.dll which matches the legitimate executable cnmpaui.exe that is aligned with a Canon Ink Jet Printer Assistant Tool.", + "has imitated legitimate software directories through the creation and storage of the EXE and DLL in `C:\\ProgramData\\` and the use of legitimate looking names of software.", + "has been disguised as legitimate Adobe and PotPlayer files. has also imitated legitimate software directories and file names through the creation and storage of a legitimate EXE and the malicious DLLs.", + "During created multiple strains of malware using names to mimic legitimate binaries such as appid to irad lmpad jdosd and oemd.", + "has masqueraded and typosquatted as legitimate code repository packages and projects.", + "has leveraged naming conventions that match legitimate services to include AdobePlugins.exe.", + "samples have been found in `/usr/libexec/setconf/ksmd` and `/usr/bin/ksmd` named to spoof the legitimate Kernel Same-Page Merging Daemon binary.", + "has renamed malware to legitimate names such as ESTCommon.dll or patch.dll. has also disguised payloads using legitimate file names including a PowerShell payload named chrome.ps1.", + "has leveraged legitimate package names to mimic frequently utilized tools to entice victims to download and execute malicious payloads.", + "has used names like `adobeupdate.dat` and `PotPlayerDB.dat` to disguise and a file named `OneDrive.exe` to load a payload. has also masqueraded legitimate browser plugin updates to include AdobePlugins.exe.", + "has renamed malicious files to mimic legitimate file names such as adobe_wf.exe." ], "description": "Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)", "similar_words": [ @@ -16570,7 +17026,9 @@ "has created self-signed digital certificates for use in HTTPS C2 traffic.", "For established SSL certificates on the typo-squatted domains the group registered.", "included acquiring digital certificates mimicking patterns associated with Cisco ASA appliances for command and control infrastructure.", - "During the threat actors used self-signed certificates on VPS C2 infrastructure." + "During the threat actors used self-signed certificates on VPS C2 infrastructure.", + "has used the same TLS certificate across its infrastructure.", + "has utilized their own self-signed TLS certificate Microsoft IT TLS CA 5 with their infrastructure." ], "description": "Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).After creating a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.", "similar_words": [ @@ -16646,7 +17104,10 @@ "collects Keychain storage data and copies those passwords/tokens to a file.", "collects the keychains on the system.", "can capture files from a targeted user's keychain directory.", - "performs an in-memory keychain query via `SecItemCopyMatching()` then formats the retrieved data as a JSON blob for exfiltration." + "performs an in-memory keychain query via `SecItemCopyMatching()` then formats the retrieved data as a JSON blob for exfiltration.", + "has leveraged malware variants configured to dump credentials from the macOS keychain.", + "uses the command `/usr/bin/security dump-keychain -d` to read the keychain credential.", + "has collected keys associated with macOS within `/Library/Keychains/login.keychain`." ], "description": "Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apples iCloud service. Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current users password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt) ", "similar_words": [ @@ -16736,9 +17197,11 @@ "masqueraded configuration files containing encryption keys as PNG files.", "has used payloads that resemble benign file extensions such as .mp3 .accdb and .pub though the files contained malicious JavaScript content.", "can download additional executable payloads that masquerade as GIF files.", - "has been distributed as a DLL/HTML polyglot file." + "has been distributed as a DLL/HTML polyglot file.", + "has masqueraded as a BMP file to hide its true MSI file extension.", + "has masqueraded malicious executables as legitimate files that download malware." ], - "description": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the files signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a files signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the files type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. Adversaries may edit the headers hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. Common non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)", + "description": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the files signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a files signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the files type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. Adversaries may edit the headers hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. Common non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.Polyglot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)", "similar_words": [ "Masquerade File Type" ], @@ -16777,9 +17240,13 @@ "has used custom tooling including .", "featured the development and deployment of two unique malware types and .", "For improved on by developing the backdoor.", - "For created new implants including the backdoor." + "For created new implants including the backdoor.", + "During deployed custom malware based on the publicly-available TINYSHELL backdoor.", + "has developed malware that utilizes Qt cross-platform framework to include .", + "has deployed custom malware families on Fortinet and VMware systems.", + "During threat actors created malicious applications within Salesforce trial accounts typically Python scripts with similar function to the Salesforce Data Loader." ], - "description": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)", + "description": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)During malware development, adversaries may intentionally include indicators aligned with other known actors in order to mislead attribution by defenders.(Citation: Olympic Destroyer)(Citation: Risky Bulletin Threat actor impersonates FSB APT)(Citation: GamaCopy organization)As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)", "similar_words": [ "Malware" ], @@ -16790,7 +17257,8 @@ "example_uses": [ "can enumerate device drivers located in the registry at `HKLM\\Software\\WBEM\\WDM`.", "has a plugin to detect active drivers of some security products.", - "can verify the presence of specific drivers on compromised hosts including Microsoft Print to PDF and Microsoft XPS Document Writer." + "can verify the presence of specific drivers on compromised hosts including Microsoft Print to PDF and Microsoft XPS Document Writer.", + "has queried drivers on the victim device through the command `driverquery`." ], "description": "Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).Many OS utilities may provide information about local device drivers, such as `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007)) may also be available in the Registry.(Citation: Microsoft Registry Drivers)On Linux/macOS, device drivers (in the form of kernel modules) may be visible within `/dev` or using utilities such as `lsmod` and `modinfo`.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)", "similar_words": [ @@ -16854,7 +17322,11 @@ "can run `C:\\Windows\\System32\\cmd.exe /c net group Domain Admins /domain` to identify domain administrator accounts.", "has used `net` commands and tools such as to profile domain accounts associated with victim machines and make Active Directory queries.", "has used tools such as to identify and enumerate domain accounts.", - "has performed domain account enumeration during intrusions." + "has performed domain account enumeration during intrusions.", + "has enumerated legitimate domain accounts which are used in the targeted environment.", + "has utilized to identify domain users.", + "has used the PowerShell script 3CF9.ps1 and the executable WsTaskLoad to enumerate domain administrations by executing `net group Domain Admins /domain`. has also used csvde.exe which is a built-in Windows command line tool to export Active Directory information.", + "has utilized an obfuscated version of the Active Directory reconnaissance tool ADRecon.ps1 (obfs.ps1 or recon.ps1) to discover domain accounts." ], "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022) ", "similar_words": [ @@ -17102,9 +17574,21 @@ "has been executed through a Microsoft Word document with a malicious macro.", "distributed malicious LNK objects for user execution during .", "has gained initial execution through victims opening malicious executable files embedded in zip archives and MSI files within RAR files.", - "has attempted to lure victims into enabling malicious macros within email attachments. Additionally has used malicious Word documents and shortcut files." - ], - "description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and .reg.Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).", + "has attempted to lure victims into enabling malicious macros within email attachments. Additionally has used malicious Word documents and shortcut files.", + "has attempted to lure victims into opening malicious e-mail attachments. has also lured victims with tailored filenames and fake extensions that entice victims to open LNK files.", + "has distributed malicious files requiring direct victim interaction to execute through the guise of a code test.", + "has leveraged an initial executable disguised as a legitimate document to trick the target into opening it.", + "malware has been executed through the download of malicious files. has also lured users to install malware with an Install Wizard interface.", + "has used tailored decoy documents as part of the installation routine to entice users to open attachments.", + "lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file. Additionally has used malicious Microsoft Word and Excel files and Leo VBS to distribute an updated version of and to distribute the Harpy backdoor.", + "has been executed through lures involving malicious JavaScript projects or trojanized remote conferencing software such as MicroTalk or FreeConference. has also been executed through macOS and Windows installers disguised as chat applications.", + "has been delivered to victims through spearphishing emails with malicious attachments.", + "has required user execution to load subsequent malicious payloads.", + "has lured victims into executing malicious files from USBs including the use of files such as USBconfig.exe.", + "has sent malicious files requiring direct victim interaction to execute. has also leveraged executable files that display decoy documents to the victim to provide a resemblance of legitimacy with customized themes related to the victim.", + "has attempted to get users to click on Office attachments with malicious macros embedded. has also attempted to get users to click on thematically named files." + ], + "description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.(Citation: Mandiant Trojanized Windows 10)Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).", "similar_words": [ "Malicious File" ], @@ -17133,7 +17617,8 @@ "example_uses": [ "adds a federated identity provider to the victims SSO tenant and activates automatic account linking.", "can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. can also modify DesktopSSO information.", - "During the changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate." + "During the changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.", + "created a new federated domain within the victim Microsoft Entra tenant using Global Administrator level access to establish a persistent backdoor for later use." ], "description": "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.Manipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) An adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)", "similar_words": [ @@ -17306,7 +17791,20 @@ "can send RC4 encrypted data over C2 channels.", "can receive XOR-encrypted commands from C2.", "can XOR encrypt C2 communications.", - "encrypts data sent to command and control infrastructure using a combination of RC4 and RSA-4096 algorithms." + "encrypts data sent to command and control infrastructure using a combination of RC4 and RSA-4096 algorithms.", + "has leveraged two 256-byte XOR keys to encrypt and decrypt network packets using a custom algorithm.", + "has encrypted C2 communications with RC4. has also leveraged encryption and compression algorithms to obfuscate the traffic between the system and C2 server methods observed included RC4 AES XOR with 0x5a and LZO.", + "can send an AES encrypted check-in request to the C2 server.", + "can use a custom RC4 encrypted protocol for C2 communications.", + "can use the AES algorithm to encrypt C2 data.", + "has used RC4 encryption in C2 communications.", + "can process RSA encryted C2 commands.", + "During malware used the RC4 cipher to encrypt outgoing C2 messages.", + "has used RC4 encryption in C2 communications. variants used a randomly generated variable length (0x20 - 0x200 bytes) rolling XOR key to encrypt and decrypt network packets.", + "can receive a 9-byte XOR encrypted activation string in the payload of an ICMP echo request packet.", + "has used encryption and compression algorithms to obfuscate the traffic between the system and C2 server methods observed included RC4 AES XOR with 0x5a and LZO.", + "has encrypted C2 traffic using RC4.", + "During the 's VEILEDSIGNAL communication module supports three commands to conduct the following actions: send implant data execute shellcode and terminate itself." ], "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.", "similar_words": [ @@ -17375,7 +17873,11 @@ "has collected information about local accounts.", "checks the privileges of running processes to determine if the running user is equivalent to `NT Authority\\System`.", "has used commands such as `net` to profile local system users.", - "has used the PowerShell-based POWERPOST script to collect local account names from the victim machine." + "has used the PowerShell-based POWERPOST script to collect local account names from the victim machine.", + "has leveraged `net user` for account discovery.", + "can list all local users found on a targeted system.", + "has collected account information from the victims machine.", + "has queried the victim device using Python scripts to obtain the User and Hostname." ], "description": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.Commands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS, the dscl . list /Users command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)", "similar_words": [ @@ -17402,7 +17904,9 @@ "can reboot victim machines in safe mode with networking via `bcdedit /set safeboot network`.", "can restart a compromised machine in safe mode.", "can reboot targeted systems into Safe Mode prior to encryption.", - "can reboot the infected host into Safe Mode." + "can reboot the infected host into Safe Mode.", + "has used a DLL variant of MDeployer to disable security solutions through Safe Mode.", + "can reboot targeted systems in safe mode to help avoid detection." ], "description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)", "similar_words": [ @@ -17553,7 +18057,14 @@ "modified multiple services on victim machines to enable encryption operations. has installed tools such as AnyDesk as a service on victim machines.", "can install system services for persistence.", "has used a compromised Domain Controller to create a service on a remote host.", - "creates a new service for persistence." + "creates a new service for persistence.", + "has used vulnerable or signed drivers to modify security solutions on victim devices.", + "has created a new PowerShell process using the `CreateProcessA` API.", + "has created a service named `Microsoft Windows DeviceSync Service` at `HKLM\\SYSTEM\\CurrentControlSet\\Services\\DeviceSync\\` to trigger execution when the system starts and to maintain persistence.", + "has created a service to establish persistence.", + "has created a malicious service DISMsrv to maintain persistence.", + "has created a service to execute a payload.", + "has created persistence through the DLL variant of the MDeployer toolkit by creating a service called irnagentd that launches after the system is rebooted in Safe Mode." ], "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create hidden services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)", "similar_words": [ @@ -17569,7 +18080,8 @@ "has used fast flux to mask botnets by distributing payloads across multiple IPs.", "operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.", "has used a fast flux DNS for C2 IP resolution.", - "has used fast flux DNS to mask their command and control channel behind rotating IP addresses." + "has used fast flux DNS to mask their command and control channel behind rotating IP addresses.", + "has used fast flux DNS to mask their command and control channel behind rotating IP addresses. Additionally has used a low-frequency variant of the single-flux method." ], "description": "Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)The simplest, \"single-flux\" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity)In contrast, the \"double-flux\" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.", "similar_words": [ @@ -17644,7 +18156,8 @@ "has queried system resources on the victim device to identify if it is executing in a sandbox or virtualized environments checking usernames conducting WMI queries for system details checking for files commonly found in virtualized environments searching system services and inspecting process names. has checked system GPU configurations for sandbox detection.", "performs timing checks using the Read-Time Stamp Counter (RDTSC) instruction on the victim CPU.", "performs various checks to determine if it is running in a sandboxed environment to prevent analysis.", - "checks for files related to known sandboxes." + "checks for files related to known sandboxes.", + "has checked existing conditions such as geographic location device type or system specification before the victim is sent a malicious Word document." ], "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as `malware`, `sample`, or `hash`.Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)", "similar_words": [ @@ -17713,7 +18226,10 @@ "can be used to gather information on permission groups within a domain.", "can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable.", "has enumerated domain groups on targeted hosts.", - "can identify domain groups through `cmd.exe /c net group Domain Admins /domain`." + "can identify domain groups through `cmd.exe /c net group Domain Admins /domain`.", + "has leveraged to enumerate domain groups.", + "has utilized the `net group` command to query domain groups within the victim environment.", + "has enumerated Active Directory security groups including through the use of ADExplorer ADRecon.ps1 and Get-ADUser." ], "description": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.Commands such as net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.", "similar_words": [ @@ -17726,7 +18242,8 @@ "example_uses": [ "In 2017 conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee a Korean power company and a Korean airport.", "has used publicly available exploit code for initial access.", - "weaponized publicly-known vulnerabilities for initial access and other purposes during ." + "weaponized publicly-known vulnerabilities for initial access and other purposes during .", + "has obtained capabilities to exploit N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966) Citrix NetScaler Citrix Bleed (CVE-2023-4966) and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203)." ], "description": "Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)An adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).", "similar_words": [ @@ -17815,9 +18332,13 @@ "utilized emails with hyperlinks leading to malicious ZIP archive files containing scripts to download and install .", "distributed malicious links in phishing emails leading to HTML files that would direct the victim to malicious MSC files if running Windows based on User Agent fingerprinting during .", "has distributed malicious links to victims that redirect to EvilProxy-based phishing sites to harvest credentials.", - "has been delivered through phishing emails containing malicious links." + "has been delivered through phishing emails containing malicious links.", + "has conducted broad phishing campaigns using malicious links. Additionally has sent spearphishing emails containing a typosquatted link to ip-sccanner[.]com.", + "has been delivered via malicious links in spearphishing emails.", + "has delivered malicious links to their intended targets. has distributed spear-phishing emails with embedded links that direct the victim to a malicious archive hosted on Google or Dropbox.", + "has been distributed through ClickFix phishing campaigns." ], - "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an @ symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)Adversaries may also utilize spearphishing links to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s that grant immediate access to the victim environment. For example, a user may be lured through consent phishing into granting adversaries permissions/access via a malicious OAuth 2.0 request URL .(Citation: Trend Micro Pawn Storm OAuth 2017)(Citation: Microsoft OAuth 2.0 Consent Phishing 2021)Similarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as device code phishing, an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.(Citation: SecureWorks Device Code Phishing 2021)(Citation: Netskope Device Code Phishing 2021)(Citation: Optiv Device Code Phishing 2021)", + "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an @ symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)Adversaries may also utilize links to perform consent phishing/spearphishing campaigns to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s that grant immediate access to the victim environment. For example, a user may be lured into granting adversaries permissions/access via a malicious OAuth 2.0 request URL that when accepted by the user provide permissions/access for malicious applications.(Citation: Trend Micro Pawn Storm OAuth 2017)(Citation: Microsoft OAuth 2.0 Consent Phishing 2021) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls.(Citation: Microsoft OAuth 2.0 Consent Phishing 2021)Similarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as device code phishing, an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.(Citation: SecureWorks Device Code Phishing 2021)(Citation: Netskope Device Code Phishing 2021)(Citation: Optiv Device Code Phishing 2021)", "similar_words": [ "Spearphishing Link" ], @@ -17888,9 +18409,10 @@ "has conducted credential phishing campaigns with links that redirect to credential harvesting sites.", "has sent emails to establish rapport with targets eventually sending messages with links to credential-stealing sites.", "used spearphishing messages containing items such as tracking pixels to determine if users interacted with malicious messages.", - "used malicious links to adversary-controlled resources for credential harvesting." + "used malicious links to adversary-controlled resources for credential harvesting.", + "has used domains mirroring corporate login portals to socially engineer victims into providing credentials." ], - "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an @ symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)Adversaries may also embed tracking pixels, \"web bugs\", or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug) (Citation: Ryte Wiki) These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server. (Citation: Ryte Wiki)(Citation: IAPP)Adversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)Adversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as quishing). These links may direct a victim to a credential phishing page.(Citation: QR-campaign-energy-firm) By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans.(Citation: qr-phish-agriculture) These QR codes may be scanned by or delivered directly to a users mobile device (i.e., [Phishing](https://attack.mitre.org/techniques/T1660)), which may be less secure in several relevant ways.(Citation: qr-phish-agriculture) For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobiles smaller form factor.From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an @ symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)Adversaries may also embed tracking pixels, \"web bugs,\" or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)(Citation: Ryte Wiki) These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server.(Citation: Ryte Wiki)(Citation: IAPP)Adversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)Adversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as quishing). These links may direct a victim to a credential phishing page.(Citation: QR-campaign-energy-firm) By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans.(Citation: qr-phish-agriculture) These QR codes may be scanned by or delivered directly to a users mobile device (i.e., [Phishing](https://attack.mitre.org/techniques/T1660)), which may be less secure in several relevant ways.(Citation: qr-phish-agriculture) For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobiles smaller form factor.From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", "similar_words": [ "Spearphishing Link" ], @@ -17921,7 +18443,9 @@ "can communicate using SSH through an HTTP tunnel.", "has used OpenSSH to establish an SSH tunnel to victims for persistent access.", "has modified the loopback address on compromised switches and used them as the source of SSH connections to additional devices within the target environment allowing them to bypass access control lists (ACLs).", - "used SSH brute force techniques to move laterally within victim environments during ." + "used SSH brute force techniques to move laterally within victim environments during .", + "has used SSH to move laterally in victim environments and to access the vSphere vCenter Server GUI.", + "has established remote SSH access to targeted ESXi hosts." ], "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the users public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).", "similar_words": [ @@ -17935,7 +18459,9 @@ "During used IAM manipulation to gain persistence and to assume or elevate privileges.", "During the granted `company administrator` privileges to a newly created service principle.", "During used IAM manipulation to gain persistence and to assume or elevate privileges. has also assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.", - "has added the global admin role to accounts they have created in the targeted organization's cloud instances." + "has added the global admin role to accounts they have created in the targeted organization's cloud instances.", + "has assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.", + "has elevated their access to Azure resources using `Microsoft.Authorization/elevateAccess/action` and `Microsoft.Authorization/roleAssignments/write` operations to gain User Access Administrator and Owner Azure roles over the victims Azure subscriptions." ], "description": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)(Citation: Microsoft O365 Admin Roles) This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to [Create Account](https://attack.mitre.org/techniques/T1136) or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)", "similar_words": [ @@ -18100,7 +18626,11 @@ "has been distributed as a spearphishing attachment.", "has been delivered as a phishing attachment including PDFs with embedded links Word and Excel files and various archive files (ZIP RAR ACE and ISOs) containing EXE payloads.", "leveraged malicious attachments in spearphishing emails for initial access to victim environments in .", - "has been delivered through phishing emails with malicious attachments." + "has been delivered through phishing emails with malicious attachments.", + "has delivered spearphishing emails with malicious attachments to targets. Additionally has distributed malicious LNK files compressed in ZIP archives.", + "has used spearphishing attachments to deliver initial access payloads. has also delivered archive files such as RAR and ZIP files containing legitimate EXEs and malicious DLLs.", + "has used emails containing Word Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns. has also distributed emails with attached compressed zip files that contained malicious .LNK files masquerading as legitimate files.", + "has been delivered to victims through malicious email attachments." ], "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ", "similar_words": [ @@ -18139,7 +18669,10 @@ "can use the `IARPUinstallerStringLauncher` COM interface are part of its UAC bypass process.", "can use the Windows Component Object Model (COM) to set scheduled tasks.", "creates an elevated COM object for CMLuaUtil and uses this to set a registry value that points to the malicious LNK file during execution.", - "can insert malicious shellcode into Excel.exe using a `Microsoft.Office.Interop` object." + "can insert malicious shellcode into Excel.exe using a `Microsoft.Office.Interop` object.", + "has leveraged Component Object Model (COM) objects to create a scheduled task using `ITaskService` interface.", + "has leveraged Component Object Model (COM) to bypass UAC.", + "has utilized Windows COM Installer Object to download an MSI package containing files masqueraded as a BMP file." ], "description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)", "similar_words": [ @@ -18252,9 +18785,18 @@ "side loads its communications module as a DLL into the libcurl.dll loader.", "has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.", "has used search order hijacking to execute malicious payloads such as . has also used legitimate executables to perform DLL side-loading of their malware.", - "has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as . has also used DLL search order hijacking." - ], - "description": "Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)Specific ways DLLs are abused by adversaries include:### DLL SideloadingAdversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.Adversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)### DLL Search Order HijackingAdversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)### DLL RedirectionAdversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)### Phantom DLL HijackingAdversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)### DLL SubstitutionAdversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.", + "has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as . has also used DLL search order hijacking.", + "has been side-loaded by the legitimate signed executable IsoBurner.exe.", + "has leveraged legitimate binaries to conduct DLL side-loading.", + "has abused legitimate executables to side-load malicious DLLs. has also been loaded via DLL side-loading using legitimate signed executables to include: FastVD.exe Bandizip.exe and gpgconf.exe.", + "has the ability to use DLL search order hijacking for installation on targeted systems. has also used DLL side-loading to evade anti-virus. has also used a legitimately signed executable to side-load a malicious payload within a DLL file.", + "has abused legitimate executables to side-load malicious DLLs.", + "has used DLL side-loading to execute the malicious payload. has also side-loaded DLL components into a legitimate process including Microsoft Malware Protection `MsMpEng.exe` and Kaspersky Anti-Virus `ushata.exe`.", + "During the splits functionally across multiple .dll files using export functions such as DLLGetClassObject to execute code from an embedded .dll file within another .dll file. has also used DLL search order hijacking via the IKEEXT service running with LocalSystem privileges to load the TAXHAUL DLL for persistence.", + "has used a legitimately signed executable to execute a malicious payload within a DLL file. has abused legitimate executables to side-load malicious DLLs.", + "has abused legitimate executables to side-load malicious DLLs to include the legitimate exe UsbConfig.exe." + ], + "description": "Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)Specific ways DLLs are abused by adversaries include:### DLL SideloadingAdversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.Adversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)Adversaries may chain DLL sideloading multiple times to fragment functionality hindering analysis. Adversaries using multiple DLL files can split the loader functions across different DLLs, with a main DLL loading the separated export functions. (Citation: Virus Bulletin) Spreading loader functions across multiple DLLs makes analysis harder, since all files must be collected to fully understand the malwares behavior. Another method implements a loader-for-a-loader, where a malicious DLLs sole role is to load a second DLL (or a chain of DLLs) that contain the real payload. (Citation: Sophos)### DLL Search Order HijackingAdversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)### DLL RedirectionAdversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)### Phantom DLL HijackingAdversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)### DLL SubstitutionAdversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.", "similar_words": [ "DLL Search Order Hijacking", "DLL" @@ -18297,7 +18839,11 @@ "gathers credentials in files for 1password.", "can steal passwords from the KeePass open source password manager.", "has accessed local password managers and databases to obtain further credentials from a compromised network.", - "has accessed and exported passwords from password managers." + "has accessed and exported passwords from password managers.", + "has targeted KeyPass password database files for credential access.", + "has stolen credentials contained in the password manager Keepass by utilizing Find-KeePassConfig.ps1.", + "has searched for credentials in password vaults and Privileged Access Management (PAM) solutions including HashiCorp Vault.", + "has utilized the command `ssh_zcp` to exfiltrate data from browser extensions and password managers via Telegram and FTP." ], "description": "Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)", "similar_words": [ @@ -18418,7 +18964,15 @@ "along with its associated dropper utilizes legitimate stolen code signing certificates.", "has signed its malware with stolen certificates.", "has used valid code signing digital certificates from ConsolHQ LTD and Verandah Green Limited to appear legitimate.", - "uses stolen legitimate code signing certificates for defense evasion." + "uses stolen legitimate code signing certificates for defense evasion.", + "has used both valid certificates and self-signed digital certificates to appear legitimate.", + "has used legitimate signed binaries such as lcommute.exe for follow-on execution of malicious DLLs through DLL side-loading.", + "has used valid legitimate digital signatures and certificates to evade detection.", + "has been signed with a valid Certificate Authority(CA) to circumvent endpoint defenses.", + "has used legitimate signed binaries such as BugSplatHD64.exe for follow-on execution of malicious DLLs through DLL side-loading.", + "has used legitimate signed binaries such as PACLOUD.exe for follow-on execution of malicious DLLs through DLL Side-Loading.", + "Although the X_TRADER platform was reportedly discontinued in 2020 it was still available for download from the legitimate Trading Technologies website in 2022. During the used a code signing certificate to digitally sign the malicious software with an expiration date set to October 2022. This file was signed with the subject Trading Technologies International Inc and contained the executable file Setup.exe also signed with the same digital certificate.", + "has utilized vulnerable or signed drivers to kill or delete services associated with endpoint detection and response (EDR) tools." ], "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)Code signing certificates may be used to bypass security policies that require signed code to execute on a system. ", "similar_words": [ @@ -18436,7 +18990,8 @@ "During accessed victim OneDrive environments to search for VPN and MFA enrollment information help desk instructions and new hire guides.", "AADInternals can collect files from a users OneDrive.", "has collected data from Microsoft 365 environments.", - "has exfitrated data from OneDrive." + "has exfitrated data from OneDrive.", + "had modified Azure Storage account resources through the `Microsoft.Storage/storageAccounts/write` operation to expose non-remotely accessible accounts for data exfiltration." ], "description": "Adversaries may access data from cloud storage.Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.", "similar_words": [ @@ -18631,7 +19186,9 @@ "can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. has also used msiexec.exe to deploy the loader.", "uses msiexec.exe for post-installation communication to command and control infrastructure. Msiexec.exe is executed referencing a remote resource for second-stage payload retrieval and execution.", "initial payloads downloaded a Windows Installer MSI file that in turn dropped follow-on files leading to installation of during .", - "has used `msiexec.exe` to execute malicious files." + "has used `msiexec.exe` to execute malicious files.", + "During the delivered components using a Windows Installer package (.msi). The MSI installer extracted several files and executed the 3CXDesktopApp.exe which loaded the malicious library file ffmpeg.dll.", + "has been installed via MSI Installer." ], "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)", "similar_words": [ @@ -18717,7 +19274,9 @@ "example_uses": [ "also removed the firewall rules it created during execution.", "have inspected server logs to remove their IPs.", - "has inspected server logs to remove their IPs." + "has inspected server logs to remove their IPs.", + "has cleared specific events that contained the threat actors IP address from multiple log sources.", + "During used an implant to delete logs associated with unauthorized access to targeted Junos OS devices." ], "description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default* HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\ServersWindows may also store information about recent RDP connections in files such as C:\\Users\\\\%username%\\Documents\\Default.rdp and `C:\\Users\\%username%\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.", "similar_words": [ @@ -18786,7 +19345,8 @@ "has cleared the command history on targeted ESXi servers.", "attempted to remove evidence of some of its activity by deleting Bash histories.", "cleared command history in Linux environments to remove traces of activity after operations.", - "can overwrite previously executed command line arguments." + "can overwrite previously executed command line arguments.", + "has cleared command history by running the PowerShell command `Remove-Item (Get-PSReadlineOption).HistorySavePath`." ], "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A) On ESXi servers, command history may be manually removed from the `/var/log/shell.log` file.(Citation: Broadcom ESXi Shell Audit)On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", "similar_words": [ @@ -18845,7 +19405,9 @@ "has compromised email accounts to conduct social engineering attacks.", "has sent thread hijacked messages from compromised emails.", "has used compromised email accounts to conduct spearphishing against contacts of the original victim.", - "has compromised email accounts to send phishing emails." + "has compromised email accounts to send phishing emails.", + "has compromised legitimate email accounts to use in their spear-phishing operations.", + "During threat actors used compromised emails to create Salesforce trial accounts." ], "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or [Phishing](https://attack.mitre.org/techniques/T1566) emails may evade reputation-based email filtering rules.Adversaries can use a compromised email account to hijack existing email threads with targets of interest.", "similar_words": [ @@ -18888,9 +19450,12 @@ "staged malware on adversary-controlled domains and cloud storage instances during .", "has hosted malware on fake websites designed to target specific audiences.", "has staged tools such as at public file sharing and hosting sites.", - "has used its infrastructure for C2 and for staging the VINETHORN payload which masqueraded as a VPN application." + "has used its infrastructure for C2 and for staging the VINETHORN payload which masqueraded as a VPN application.", + "has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons file exfiltrators and implants. has also hosted malicious payloads on Dropbox.", + "has hosted malicious payloads on code repositories used as lures for victims to download.", + "has staged legitimate software that was trojanized to contain an Atera agent installer on Amazon S3. has also used an open directory web server as a staging server for payloads and other tools such as OpenSSH and 7zip." ], - "description": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.", + "description": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin; hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult; or saved on the blockchain as smart contracts, which are resilient against takedowns that would affect traditional infrastructure.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)(Citation: Guardio Etherhiding 2023)(Citation: Bleeping Computer Binance Smart Chain 2023)Adversaries may upload backdoored files, such as software packages, application binaries, virtual machine images, or container images, to third-party software stores, package libraries, extension marketplaces, or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub, PyPi, NPM).(Citation: Datadog Security Labs Malicious PyPi Packages 2024) By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). Masquerading, including typo-squatting legitimate software, may increase the chance of users mistakenly executing these files. ", "similar_words": [ "Upload Malware" ], @@ -18944,7 +19509,9 @@ "includes modules for stealing stored credentials from Outlook and Foxmail email client software.", "extracts credentials from the Windows Registry associated with Premiumsoft Navicat a utility used to facilitate access to various database types.", "has obtained information about accounts lists of employees and plaintext and hashed passwords from databases.", - "can collect credentials stored in email clients." + "can collect credentials stored in email clients.", + "has collected keys stored for Solana stored in `.config/solana/id.json` and other login details associated with macOS within `/Library/Keychains/login.keychain` or for Linux within `/.local/share/keyrings`.", + "has obtained credentials from VPN services FTP clients and Instant Messenger (IM)/Chat clients." ], "description": "Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "similar_words": [ @@ -18965,7 +19532,10 @@ "can upload documents from compromised hosts to a shared Microsoft Office 365 Outlook email account for exfiltration.", "has used services such as `anonymfiles.com` and `file.io` to exfiltrate victim data.", "can use the Microsoft Office Exchange Web Services API to access an actor-controlled account and retrieve files for exfiltration.", - "exfiltrates collected data to online file hosting sites such as `Mega.co.nz`." + "exfiltrates collected data to online file hosting sites such as `Mega.co.nz`.", + "has leveraged Telegram API to exfiltrate stolen data.", + "During threat actors exfiltrated data via legitimate Salesforce API communication channels including the Salesforce Data Loader application.", + "has leveraged Telegram chat to upload stolen data using the Telegram API with a bot token." ], "description": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.", "similar_words": [ @@ -19031,7 +19601,12 @@ "registered domains for authoritative name servers used in DNS hijacking activity and for command and control servers.", "has created fake domains to imitate legitimate venture capital or bank domains.", "can utilize hardcoded command and control domain configurations created by the XLoader authors. These are designed to mimic domain registrars and hosting service providers such as Hostinger and Namecheap.", - "registered adversary-controlled domains during that were re-registrations of expired domains." + "registered adversary-controlled domains during that were re-registrations of expired domains.", + "has registered domains to leverage in their social engineering campaigns. has also registered domains to utilize for C2.", + "During threat actors registered C2 domains to spoof legitimate Microsoft domains.", + "has registered domains to spoof legitimate corporate login portals.", + "has acquired C2 domains prior to operations.", + "has registered look-alike domains for use in phishing campaigns. Additionally has registered a malicious domain as `advanced-ip-sccanner[.]com` that redirected to an adversary-controlled Dropbox which contained the malicious executable." ], "description": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \"IDN homograph attacks,\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actors choosing.(Citation: Invictus IR DangerDev 2024)", "similar_words": [ @@ -19102,7 +19677,7 @@ "captures credentials by recording them through an alternative network listener registered to the mpnotify.exe process allowing for cleartext recording of logon information.", "gathered credentials hardcoded in binaries located on victim devices during ." ], - "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)", + "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)", "similar_words": [ "Unsecured Credentials" ], @@ -19123,7 +19698,8 @@ "has the ability to delete emails used for C2 once the content has been copied.", "During the removed evidence of email export requests using `Remove-MailboxExportRequest`.", "can set the `PR_DELETE_AFTER_SUBMIT` flag to delete messages sent for data exfiltration.", - "has deleted login notification emails and has cleared the Sent folder to cover their tracks." + "has deleted login notification emails and has cleared the Sent folder to cover their tracks.", + "has manually deleted emails notifying users of suspicious account activity." ], "description": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)Adversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)", "similar_words": [ @@ -19225,7 +19801,10 @@ "changes timestamps of overwritten files to either 1601.1.1 for NTFS filesystems or 1980.1.1 for all other filesystems.", "can time stomp its executable previously dating it between 2010 to 2021.", "can timestomp files for defense evasion and anti-forensics purposes.", - "restores timestamps to original values following modification." + "restores timestamps to original values following modification.", + "has used scripts to timestomp ESXi hosts prior to installing malicious vSphere Installation Bundles (VIBs).", + "has modified file timestamps from the export address table (EAT) in malware to make it difficult to identify creation times.", + "has modified file timestamps from the export address table (EAT) to make it difficult to discern when the module was created." ], "description": "Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.In Windows systems, both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in double timestomping by modifying times on both attributes simultaneously.(Citation: Double Timestomping)In Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as `touch -a -m -t ` (which sets access and modification times to a specific value) or `touch -r ` (which sets access and modification times to match those of another file).(Citation: Inversecos Linux Timestomping)(Citation: Juniper Networks ESXi Backdoor 2022)Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)", "similar_words": [ @@ -19257,7 +19836,14 @@ "has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DLL into memory.", "reflectively loads stored previously encrypted components of the PE file into memory of the currently executing process to avoid writing content to disk on the executing machine.", "can use reflective loading to decrypt and run malicious executables in a new thread.", - "has used reflective loading techniques to load content into memory during execution." + "has used reflective loading techniques to load content into memory during execution.", + "has loaded a .NET assembly into the currect execution context via `Reflection.Assembly::Load`.", + "has loaded its payload into memory.", + "has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DLL into memory. has also used reflective loading through .NET assembly using `[System.Reflection.Assembly]::Load`.", + "has used an obfuscated PowerShell script that used `System.Reflection.Assembly` to gather and send victim information to the C2.", + "During the leverages the publicly available open-source project DAVESHELL to convert PE-COFF files to position-independent code to reflectively load the payload into memory.", + "has used the Reflective DLL injection module from Github to inject itself into a processs memory.", + "During threat actors reflectively loaded payloads using `System.Reflection.Assembly.Load`." ], "description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)).Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) For example, the `Assembly.Load()` method executed by [PowerShell](https://attack.mitre.org/techniques/T1059/001) may be abused to load raw code into the running process.(Citation: Microsoft AssemblyLoad)Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the injection loads code into the processes own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)", "similar_words": [ @@ -19271,7 +19857,10 @@ "has collected names and passwords of all Wi-Fi networks to which a device has previously connected.", "can collect names and passwords of all Wi-Fi networks to which a device has previously connected.", "can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.", - "During collected information on wireless interfaces within range of a compromised system." + "During collected information on wireless interfaces within range of a compromised system.", + "has collected information on Wi-Fi networks from victim hosts leveraging `netsh wlan show profiles` `netsh wlan show interface` and `netsh wlan show`.", + "can use `netsh wlan show profiles` to list specific Wi-Fi profile details.", + "uses the netsh wlan show networks mode=bssid and netsh wlan show interfaces commands to list all nearby WiFi networks and connected interfaces." ], "description": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile Wi-Fi name key=clear` to show a Wi-Fi networks corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)", "similar_words": [ @@ -19286,7 +19875,8 @@ "has used the `nohup` command to instruct executed payloads to ignore hangup signals.", "set's it's process to ignore the following signals; `SIGHUP` `SIGINT` `SIGQUIT` `SIGPIPE` `SIGCHLD` `SIGTTIN` and `SIGTTOU`.", "calls the signal function to ignore the signals SIGCHLD SIGHIP and SIGPIPE prior to starting primary logic.", - "executed using the tool NoHup which keeps the malware running on a system after exiting the shell or terminal." + "executed using the tool NoHup which keeps the malware running on a system after exiting the shell or terminal.", + "modified the startup file `/etc/init.d/localnet` to execute the line `nohup /bin/support &` so the script would run when the system was rebooted." ], "description": "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. Adversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.Hiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.", "similar_words": [ @@ -19373,7 +19963,7 @@ "id": "T1087.003" }, "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0": { - "name": "Time Based Evasion", + "name": "Time Based Checks", "example_uses": [ "After initial installation runs a computation to delay execution.", "has the ability to sleep for a specified time to evade detection.", @@ -19419,11 +20009,13 @@ "can pause for a number of hours before entering its C2 communication loop.", "can designate a sleep period of more than 22 seconds between stages of infection.", "will sleep for a random number of seconds iterating 200 times over sleeps between one to three seconds before continuing execution flow.", - "can sleep for a set number of minutes before beginning execution." + "can sleep for a set number of minutes before beginning execution.", + "The demon agent can be set to sleep for a specified time." ], - "description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness)Benign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as [Ping](https://attack.mitre.org/software/S0097)s, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to [Native API](https://attack.mitre.org/techniques/T1106) functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)Adversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)", + "description": "Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock. Adversaries may use calls like `GetTickCount` and `GetSystemTimeAsFileTime` to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)", "similar_words": [ - "Time Based Evasion" + "Time Based Evasion", + "Time Based Checks" ], "id": "T1497.003" }, @@ -19443,7 +20035,9 @@ }, "attack-pattern--4d2a5b3e-340d-4600-9123-309dd63c9bf8": { "name": "SSH Hijacking", - "example_uses": [], + "example_uses": [ + "can be configured to capture SSH credentials via SSH hijacking." + ], "description": "Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)[SSH Hijacking](https://attack.mitre.org/techniques/T1563/001) differs from use of [SSH](https://attack.mitre.org/techniques/T1021/004) because it hijacks an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).", "similar_words": [ "SSH Hijacking" @@ -19532,7 +20126,8 @@ "has the ability to tunnel SMB sessions.", "During leveraged SMB to transfer files and move laterally.", "can use SMB for lateral movement.", - "has attempted to move laterally in victim environments via SMB using ." + "has attempted to move laterally in victim environments via SMB using .", + "can embed a copy of within its payload and place it in the %Temp% directory under a randomly generated filename." ], "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)", "similar_words": [ @@ -19585,7 +20180,11 @@ "can tunnel SSH and Unix Domain Socket communications over TCP between external nodes and exposed resources behind firewalls or NAT.", "can tunnel data in and out of targeted networks.", "has modified device configurations to create and use Generic Routing Encapsulation (GRE) tunnels.", - "can tunnel TCP sessions including RDP SSH and SMB through HTTP." + "can tunnel TCP sessions including RDP SSH and SMB through HTTP.", + "has tunneled C2 traffic via OpenSSH.", + "During threat actors utilized tunnels to deliver PowerShell payloads.", + "has leveraged OpenSSH (sshd.exe) to execute commands transfer files and spread across the environment communicating over SMB port 445.", + "has installed protocol-tunneling tools on VMware vCenter and adversary-controlled VMs including Teleport.sh Chisel (configured to communicate with trycloudflare[.]com subdomains) MobaXterm ngrok Pinggy and Teleport." ], "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)(Citation: Sygnia Abyss Locker 2025) [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. ", "similar_words": [ @@ -19609,7 +20208,7 @@ "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de": { "name": "Network Address Translation Traversal", "example_uses": [], - "description": "Adversaries may bridge network boundaries by modifying a network devices Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities", + "description": "Adversaries may bridge network boundaries by modifying a network devices Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)When an adversary gains control of a network boundary device, they may modify NAT configurations to send traffic between two separated networks, or to obscure their activities. In network designs that require NAT to function, such modifications enable the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In network designs that do not require NAT, adversaries may use address translation to further obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities.", "similar_words": [ "Network Address Translation Traversal" ], @@ -19620,7 +20219,8 @@ "example_uses": [ "For used multiple servers to host malicious tools.", "For UNC3890 actors staged tools on their infrastructure to download directly onto a compromised system.", - "has staged tools including and WCE on previously compromised websites." + "has staged tools including and WCE on previously compromised websites.", + "has utilized a file hosting service called filemail[.]com to host a zip file that contained a RMM service such as ConnectWise." ], "description": "Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.Tools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo, or on Platform-as-a-Service offerings that enable users to easily provision applications.(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Intezer App Service Phishing)Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.", "similar_words": [ @@ -19656,7 +20256,7 @@ "attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41": { "name": "Threat Intel Vendors", "example_uses": [], - "description": "Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)Adversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "description": "Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)Adversaries may search in private threat intelligence vendor data to gather actionable information. If a threat actor is searching for information on their own activities, that falls under [Search Threat Vendor Data](https://attack.mitre.org/techniques/T1681). Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "similar_words": [ "Threat Intel Vendors" ], @@ -19684,7 +20284,9 @@ "During threat actors targeted people based on their organizational roles and privileges.", "has acquired mobile phone numbers of potential targets possibly for mobile malware or additional phishing operations.", "has identified ways to engage targets by researching potential victims' interests and social or professional contacts.", - "has gathered victim identify information during pre-compromise reconnaissance." + "has gathered victim identify information during pre-compromise reconnaissance.", + "has used information from previous data breaches to identify employee names to be used in social engineering.", + "has researched specific professional groups such as software developers for targeting. has also researched individuals who work in roles related to cryptocurrency and blockchain technologies." ], "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system or permitted MFA /methods associated with those usernames.(Citation: GrimBlog UsernameEnum)(Citation: Obsidian SSPR Abuse 2023) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks)Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", "similar_words": [ @@ -19735,7 +20337,11 @@ "has modified Windows firewall rules to enable remote access.", "modified system firewalls to add two open listening ports on 9998 and 9999 during .", "modified system firewall settings during installation using `netsh.exe` to open a listening random high number port on victim devices.", - "modified firewall rules on victim machines to enable remote system discovery." + "modified firewall rules on victim machines to enable remote system discovery.", + "can use the Django python module django.views.decorators.csrf along with the decorator csrf_exempt within victim firewalls to disable cross-site request forgery protections.", + "has used the TABLEFLIP traffic redirection utility and the esxcli command line to modify firewall rules.", + "has utilized to execute batch scripts that modify firewall settings. has also enabled and modified firewall rules to allow for RDP connections for lateral movement and device interactions.", + "has added a firewall rule to allow TCP port 59999 inbound and a rule to allow sshd.exe on TCP port 9898." ], "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via `esxcli network firewall set`) or via the vCenter user interface.(Citation: Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall)", "similar_words": [ @@ -19844,7 +20450,8 @@ "A variant used SMTP for C2.", "uses the IMAP email protocol for command and control purposes.", "can communicates with C2 using email messages via the Outlook Messaging API (MAPI).", - "can receive and send back the results of executed C2 commands through email." + "can receive and send back the results of executed C2 commands through email.", + "has utilized email notifications from malware distribution servers to track victim engagement." ], "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: FireEye APT28) ", "similar_words": [ @@ -19880,7 +20487,8 @@ "has scanned for vulnerabilities in the public-facing servers of their targets.", "has used publicly available tools such as MASSCAN and Acunetix for vulnerability scanning of public-facing infrastructure.", "has used remotely-hosted instances of the Acunetix vulnerability scanner.", - "has conducted reconnaissance against target networks of interest looking for vulnerable end-of-life or no longer maintainted devices against which to rapidly deploy exploits." + "has conducted reconnaissance against target networks of interest looking for vulnerable end-of-life or no longer maintainted devices against which to rapidly deploy exploits.", + "During threat actors scanned for SharePoint servers vulnerable to CVE-2025-53770." ], "description": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", "similar_words": [ @@ -19893,7 +20501,8 @@ "example_uses": [ "leverages the AWS CLI for its operations.", "has leveraged AWS CLI to enumerate cloud environments with compromised credentials.", - "has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. They have also utilized AADInternals PowerShell Modules to access the API" + "has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. They have also utilized AADInternals PowerShell Modules to access the API", + "has leveraged Cloud CLI to execute commands and exfiltrate data from compromised environments." ], "description": "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.With proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. ", "similar_words": [ @@ -19916,7 +20525,8 @@ "attack-pattern--561ae9aa-c28a-4144-9eec-e7027a14c8c3": { "name": "Electron Applications", "example_uses": [ - "as leveraged Electron Applications to disable GPU sandboxing to avoid detection by security software." + "as leveraged Electron Applications to disable GPU sandboxing to avoid detection by security software.", + "During the leveraged the 3CX application's electron framework to execute its malicious libraries under the official 3CX electron application." ], "description": "Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)Due to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.(Citation: Electron 1) For example, the abuse of `teams.exe` and `chrome.exe` may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., `chrome.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\Windows\\system32\\cmd.exe /c calc.exe`).(Citation: Electron 6-8)Adversaries may also execute malicious content by planting malicious [JavaScript](https://attack.mitre.org/techniques/T1059/007) within Electron applications.(Citation: Electron Security)", "similar_words": [ @@ -19975,7 +20585,9 @@ "can persist via a LaunchDaemon.", "can establish persistence via a Launch Daemon.", "uses the ssh launchdaemon to elevate privileges bypass system controls and enable remote access to the victim.", - "has placed a plist file within the LaunchDaemons folder and launched it manually." + "has placed a plist file within the LaunchDaemons folder and launched it manually.", + "The launcher can daemonize a process.", + "During the installs a Launch Daemon to execute the POOLRAT macOS backdoor software." ], "description": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)", "similar_words": [ @@ -19987,7 +20599,9 @@ "name": "Cloud Infrastructure Discovery", "example_uses": [ "enumerates cloud environments to identify server and backup management infrastructure resource access databases and storage containers.", - "can enumerate AWS infrastructure such as EC2 instances." + "can enumerate AWS infrastructure such as EC2 instances.", + "enumerates cloud environments including Amazon Web Services (AWS) S3 buckets to identify server and backup management infrastructure resource access databases and storage containers .", + "has enumerated compromised cloud environments to identify critical assets data stores and back resources." ], "description": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a buckets existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.", "similar_words": [ @@ -20081,7 +20695,10 @@ "has stolen credentials stored in Chrome.", "can gather credentials from several web browsers.", "has used custom malware to steal credentials.", - "During used the CDumper (Chrome browser) and EDumper (Edge browser) to collect credentials." + "During used the CDumper (Chrome browser) and EDumper (Edge browser) to collect credentials.", + "has stolen passwords saved in web browsers. has also been known to collect login data from Firefox within key3.db key4.db and logins.json from `/.mozilla/firefox/` for exfiltration.", + "has stolen login data autofill data cryptocurrency wallets and payment information saved in web browsers such as Chrome Brave Opera Yandex and Edge to include versions affiliated with major operating systems on Windows Linux and macOS. has also leveraged the command `ssh_zcp` to copy browser data to include extensions and cryptocurrency wallet data.", + "was designed to steal sensitive information from web browsers including credit card details saved credentials and autocomplete data. can also gather credentials from several browsers." ], "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victims cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018) Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).", "similar_words": [ @@ -20171,7 +20788,10 @@ "The installer has been padded with null bytes to inflate its size.", "has been obfuscated with a 129 byte sequence of junk data prepended to the file.", "configuration file is appended to the end of the binary. For example the last `0x1d0` bytes of one sample is an AES encrypted configuration file with a static key of `3e2717e8b3873b29`.", - "has used binary padding to obfuscate payloads." + "has used binary padding to obfuscate payloads.", + "has performed padding of PowerShell command line code with over 100 spaces.", + "has utilized junk code and opaque predicates in payloads to hinder analysis.", + "has used randomized padding to obfuscate payloads." ], "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ", "similar_words": [ @@ -20240,7 +20860,10 @@ "is a reverse TCP shell with command and control capabilities used for persistence purposes.", "has used ASPX web shells following exploitation of vulnerabilities in services such as Microsoft Exchange.", "is a web shell that has been installed on exposed web servers for access to victim environments.", - "deployed the web shell during intrusion operations." + "deployed the web shell during intrusion operations.", + "During threat actors followed exploitation of SharePoint servers with installation of a malicious .aspx web shell (spinstall0.aspx) that was written to the `_layouts/15/` directory granting persistent HTTP-based access.", + "has used web shells to maintain access to victims environments.", + "has utilized webshells to an exploited Microsoft Exchange Server." ], "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)", "similar_words": [ @@ -20261,7 +20884,10 @@ "During the leveraged Group Policy Objects (GPOs) to deploy and execute malware.", "used scheduled tasks created via Group Policy Objects (GPOs) to deploy ransomware.", "can enable options for propogation through Group Policy Objects.", - "can modify Group Policy to disable Windows Defender and to automatically infect devices in Windows domains." + "can modify Group Policy to disable Windows Defender and to automatically infect devices in Windows domains.", + "distributed Group Policy Objects to tamper with security products.", + "During threat actors including Storm-2603 modified group policy to enable ransomware distribution.", + "has pushed a scheduled task via a Group Policy Object for payload execution." ], "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)", "similar_words": [ @@ -20288,7 +20914,8 @@ "has intercepted unencrypted private keys as well as private key pass-phrases.", "can steal keys for VPNs and cryptocurrency wallets.", "has accessed a Local State file that contains the AES key used to encrypt passwords stored in the Chrome browser.", - "collects all data in victim `.ssh` folders by creating a compressed copy that is subsequently exfiltrated to command and control infrastructure. also collects key information associated with the Government Public Key Infrastructure (GPKI) service for South Korean government information systems." + "collects all data in victim `.ssh` folders by creating a compressed copy that is subsequently exfiltrated to command and control infrastructure. also collects key information associated with the Government Public Key Infrastructure (GPKI) service for South Korean government information systems.", + "has leveraged the Azure Owner role to access and steal the Storage Account Access keys using the `Microsoft.Storage/storageAccounts/listkeys/action` operation." ], "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)When a device is registered to Entra ID, a device key and a transport key are generated and used to verify the devices identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)On network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) Some private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.", "similar_words": [ @@ -20327,7 +20954,8 @@ "tracks `TrustedHosts` and can move laterally to these targets via WinRM.", "has used WinRM to enable remote execution.", "has used Window Remote Management to move laterally through a victim network.", - "During threat actors used WinRM to move laterally in targeted networks." + "During threat actors used WinRM to move laterally in targeted networks.", + "has utilized the post-exploitation tool known as Evil-WinRM that uses PowerShell over Windows Remote Management (WinRM) for remote code execution." ], "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)", "similar_words": [ @@ -20354,7 +20982,8 @@ "enabled and used the default system managed account DefaultAccount via `powershell.exe /c net user DefaultAccount /active:yes` to connect to a targeted Exchange server over RDP.", "infected WinCC machines via a hardcoded database server password.", "During threat actors used the built-in administrator account to move laterally using RDP and .", - "has abused default user names and passwords in externally-accessible IP cameras for initial access." + "has abused default user names and passwords in externally-accessible IP cameras for initial access.", + "has harvested and used vCenter Server service accounts." ], "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)Default accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)Default accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this accounts credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure)", "similar_words": [ @@ -20391,7 +21020,8 @@ "copies the malicious file /data2/.bd.key/preload.so to /lib/preload.so then launches a child process that executes the malicious file /data2/.bd.key/authd as /bin/authd with the arguments /lib/preload.so reboot newreboot 1. This injects the malicious preload.so file into the process with PID 1 and replaces its reboot function with the malicious newreboot function for persistence.", "has injected its dynamic library into descendent processes of sshd via LD_PRELOAD.", "modified the ld.so preload file in Linux environments to enable persistence for Winnti malware.", - "When is running as an OpenSSH server it uses LD_PRELOAD to inject its malicious shared module in to programs launched by SSH sessions. hooks the following functions from `libc` to inject into subprocesses; `system` `popen` `execve` `execvpe` `execv` `execvp` and `execl`." + "When is running as an OpenSSH server it uses LD_PRELOAD to inject its malicious shared module in to programs launched by SSH sessions. hooks the following functions from `libc` to inject into subprocesses; `system` `popen` `execve` `execvpe` `execv` `execvp` and `execl`.", + "can execute code through dynamic linker hijacking of the `LD_PRELOAD` library." ], "description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.(Citation: Baeldung LD_PRELOAD)Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used `LD_PRELOAD` to inject a malicious library into every descendant process of the `sshd` daemon, resulting in execution under a legitimate process. When the executing sub-process calls the `execve` function, for example, the malicious librarys `execve` function is executed rather than the system function `execve` contained in the system library on disk. This allows adversaries to [Hide Artifacts](https://attack.mitre.org/techniques/T1564) from detection, as hooking system functions such as `execve` and `readdir` enables malware to scrub its own artifacts from the results of commands such as `ls`, `ldd`, `iptables`, and `dmesg`.(Citation: ESET Ebury Oct 2017)(Citation: Intezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit 2024)Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges.", "similar_words": [ @@ -20432,7 +21062,7 @@ "has created local system accounts and has added the accounts to privileged groups.", "created a local account on victim machines to maintain access." ], - "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. In Linux, the `useradd` command can be used, while on macOS systems, the dscl -create command can be used. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. In Linux, the `useradd` command can be used, while on macOS systems, the dscl -create command can be used. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)Adversaries may also create new local accounts on network firewall management consoles for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News)Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", "similar_words": [ "Local Account" ], @@ -20480,7 +21110,8 @@ "can delete events from the Security System and Application logs.", "calls to clear the Windows PowerShell and Microsoft-Windows-Powershell/Operational logs.", "can delete log files through the use of wevtutil.", - "has cleared actor-performed actions from logs." + "has cleared actor-performed actions from logs.", + "has the ability to clear Windows Event Logs." ], "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.With administrator privileges, the event logs can be cleared with the following utility commands:* wevtutil cl system* wevtutil cl application* wevtutil cl securityThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\\Windows\\System32\\winevt\\logs\\`.", "similar_words": [ @@ -20511,7 +21142,12 @@ "has created email accounts to interact with victims including for phishing purposes.", "has registered impersonation email accounts to spoof experts in a particular field or individuals and organizations affiliated with the intended target.", "has created dedicated email accounts for use with tools such as .", - "has created email accounts to use in spearphishing operations." + "has created email accounts to use in spearphishing operations.", + "has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns. has also created fake Google accounts to distribute malware via spear-phishing emails. has also created accounts for spearphishing operations including the use of services such as Proton Mail.", + "During threat actors registered emails shinycorp@tuta[.]com and shinygroup@tuta[.]com to send victims extortion demands.", + "has created email accounts used in ransomware negotiations.", + "During threat actors created Proton mail accounts for communication with organizations infected with ransomware.", + "has created fake email accounts to correspond with social media accounts fake LinkedIn personas code repository accounts and job announcements on development job board services. has also utilized fake email accounts with Threat Intelligence vendor services." ], "description": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services such as trial periods to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for follow-on purposes.(Citation: Free Trial PurpleUrchin)Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016) ", "similar_words": [ @@ -20610,7 +21246,12 @@ "uses legitimate Sysinternals tools such as procdump to dump LSASS memory.", "has used and the Windows Task Manager to dump LSASS process memory.", "used to obtain passwords from memory.", - "has a built-in `procdump` command allowing for retrieval of memory from processes such as `lsass.exe` for credential harvesting." + "has a built-in `procdump` command allowing for retrieval of memory from processes such as `lsass.exe` for credential harvesting.", + "During threat actors used to dump LSASS memory.", + "has harvested credentials from memory of lssas.exe with .", + "has leveraged to dump LSASS to harvest credentials.", + "has used MiniDump to dump process memory and search for cleartext credentials.", + "can employ an embedded module to dump LSASS memory." ], "description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.For example, on the target host use procdump:* procdump -ma lsass.exe lsass_dumpLocally, mimikatz can be run using:* sekurlsa::Minidump lsassdump.dmp* sekurlsa::logonPasswordsBuilt-in Windows tools such as `comsvcs.dll` can also be used:* rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)The following SSPs can be used to access credentials:* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)", "similar_words": [ @@ -20632,7 +21273,8 @@ "attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b": { "name": "Abuse Elevation Control Mechanism", "example_uses": [ - "implements a variation of the ucmDccwCOMMethod technique abusing the Windows AutoElevate backdoor to bypass UAC while elevating privileges." + "implements a variation of the ucmDccwCOMMethod technique abusing the Windows AutoElevate backdoor to bypass UAC while elevating privileges.", + "has used vSphere Installation Bundles (VIBs) that contained modified descriptor XML files with the `acceptance-level` set to `partner` which allowed for privilege escalation." ], "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)", "similar_words": [ @@ -20654,7 +21296,8 @@ "The third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via `%TEMP%\\AdvancedRun.exe /EXEFilename C:\\Windows\\System32\\sc.exe /WindowState 0 /CommandLine stop WinDefend /StartDirectory /RunAs 8 /Run`.", "has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.", "grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.", - "can use Invoke-RunAs to make tokens." + "can use Invoke-RunAs to make tokens.", + "included functionality to create sub-processes with a specific users token." ], "description": "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.While this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.", "similar_words": [ @@ -20688,7 +21331,8 @@ "established persistence by adding a Shell value under the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon.", "issues the command reg add HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon to achieve persistence.", "adds the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon to establish persistence.", - "can enable automatic logon through the `SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon` Registry key." + "can enable automatic logon through the `SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon` Registry key.", + "can configure a Winlogon registry entry." ], "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013) Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs onAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.", "similar_words": [ @@ -20727,9 +21371,10 @@ "engaged in password spraying via SMB in victim environments.", "has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid user names and passwords.", "has gained initial access through password spray attacks.", - "During performed password-spray attacks against public facing services to validate credentials." + "During performed password-spray attacks against public facing services to validate credentials.", + "has conducted a throttled variant of password spraying techniques that only utilized a single attempt to sign in within a 24-hour time period eluding brute force detection thresholds." ], - "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:* SSH (22/TCP)* Telnet (23/TCP)* FTP (21/TCP)* NetBIOS / SMB / Samba (139/TCP & 445/TCP)* LDAP (389/TCP)* Kerberos (88/TCP)* RDP / Terminal Services (3389/TCP)* HTTP/HTTP Management Services (80/TCP & 443/TCP)* MSSQL (1433/TCP)* Oracle (1521/TCP)* MySQL (3306/TCP)* VNC (5900/TCP)In addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", + "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:* SSH (22/TCP)* Telnet (23/TCP)* FTP (21/TCP)* NetBIOS / SMB / Samba (139/TCP & 445/TCP)* LDAP (389/TCP)* Kerberos (88/TCP)* RDP / Terminal Services (3389/TCP)* HTTP/HTTP Management Services (80/TCP & 443/TCP)* MSSQL (1433/TCP)* Oracle (1521/TCP)* MySQL (3306/TCP)* VNC (5900/TCP)In addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)In order to avoid detection thresholds, adversaries may deliberately throttle password spraying attempts to avoid triggering security alerting. Additionally, adversaries may leverage LDAP and Kerberos authentication attempts, which are less likely to trigger high-visibility events such as Windows \"logon failure\" event ID 4625 that is commonly triggered by failed SMB connection attempts.(Citation: Microsoft Storm-0940) ", "similar_words": [ "Password Spraying" ], @@ -20758,7 +21403,8 @@ "uses compromised residential endpoints as proxies for defense evasion and network access.", "has controlled from behind a proxy network to obfuscate the C2 location. has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).", "has been known to reach a command and control server via one of nine proxy IP addresses.", - "InvisiMole can identify proxy servers used by the victim and use them for C2 communication." + "InvisiMole can identify proxy servers used by the victim and use them for C2 communication.", + "has initialized SOCKS5 proxies on compromised devices." ], "description": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.", "similar_words": [ @@ -20800,7 +21446,8 @@ "gathered victim email address information for follow-on phishing activity.", "has targeted the personal emails of key network and IT staff at victim organizations.", "utilizes thread spoofing of existing email threads in order to execute spear phishing operations.", - "has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering." + "has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering.", + "has gathered targeted individuals e-mail addresses for the password spraying attempts." ], "description": "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Email addresses could also be enumerated via more active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType.(Citation: GitHub Office 365 User Enumeration)(Citation: Azure Active Directory Reconnaisance)Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Brute Force](https://attack.mitre.org/techniques/T1110) via [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "similar_words": [ @@ -20813,7 +21460,9 @@ "example_uses": [ "During used phone calls to instruct victims to navigate to credential-harvesting websites.", "has called victims' help desk to convince the support personnel to reset a privileged accounts credentials.", - "During used phone calls to instruct victims to navigate to credential-harvesting websites. has also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits." + "During used phone calls to instruct victims to navigate to credential-harvesting websites. has also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.", + "During threat actors initiated voice calls with victims to socially engineer them into authorizing malicious applications or divulging sensitive credentials.", + "has used help desk voice-based phishing and also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits." ], "description": "Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.All forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or \"vishing\"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams)Victims may also receive phishing messages that direct them to call a phone number (\"callback phishing\") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to tailor pretexts to be even more persuasive and believable for the victim.", "similar_words": [ @@ -20942,7 +21591,8 @@ "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4": { "name": "Delete Cloud Instance", "example_uses": [ - "has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process." + "has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.", + "has conducted mass deletion of cloud data stores and resources from Azure subscriptions." ], "description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.An adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)", "similar_words": [ @@ -20954,7 +21604,8 @@ "name": "Code Repositories", "example_uses": [ "has searched public code repositories for exposed credentials.", - "has discovered leaked corporate credentials on public repositories including GitHub." + "has discovered leaked corporate credentials on public repositories including GitHub.", + "had identified and solicited victims through code repositories such as GitHub." ], "description": "Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Adversaries may search various public code repositories for various information about a victim. Public code repositories can often be a source of various general information about victims, such as commonly used programming languages and libraries as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys.(Citation: GitHub Cloud Service Credentials) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)). **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1213/003), which focuses on [Collection](https://attack.mitre.org/tactics/TA0009) from private and internally hosted code repositories. ", "similar_words": [ @@ -20964,7 +21615,9 @@ }, "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979": { "name": "Executable Installer File Permissions Weakness", - "example_uses": [], + "example_uses": [ + "has leveraged legitimate software installer executables such as Setup Factory IRSetup.exe to drop and execute their payload." + ], "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking.Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", "similar_words": [ "Executable Installer File Permissions Weakness" @@ -21021,7 +21674,8 @@ "During the created two new accounts admin and (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.", "has created domain accounts.", "has a module for creating a new domain user if permissions allow.", - "created privileged domain accounts during intrusions." + "created privileged domain accounts during intrusions.", + "has created a domain account within the victim environment." ], "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.(Citation: Savill 1999)Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", "similar_words": [ @@ -21115,7 +21769,9 @@ "has acquired and used a variety of malware including .", "has obtained and used leaked malware including DoublePulsar EternalBlue EternalRocks and EternalSynergy in its operations.", "has acquired malware and related tools from dark web forums.", - "During the campaign threat actors used open-source malware post-compromise including a custom variant of the cd00r backdoor." + "During the campaign threat actors used open-source malware post-compromise including a custom variant of the cd00r backdoor.", + "has used the publicly available rootkits and .", + "has obtained malware to use at multiple stages of operations including information stealers remote access tools and ransomware." ], "description": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).", "similar_words": [ @@ -21178,7 +21834,8 @@ "created adversary-in-the-middle servers to impersonate legitimate services and enable credential capture.", "staged encryption keys on virtual private servers operated by the adversary.", "has used anonymized infrastructure and Virtual Private Servers (VPSs) to interact with the victims environment.", - "has used acquired Virtual Private Servers as control systems for devices within the ORB network." + "has used acquired Virtual Private Servers as control systems for devices within the ORB network.", + "has acquired virtual private servers from services such as Stark Industries Solutions and RouterHosting. has also utilized hosting providers to include Tier[.]Net Majestic Hosting Leaseweb Singapore and Kaopu Cloud." ], "description": "Adversaries may rent Virtual Private Servers (VPSs)that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)", "similar_words": [ @@ -21346,7 +22003,12 @@ "installation steps include first identifying then stopping any process containing [kworker\\/0:1] then renaming its initial installation stage to this process name.", "disguised as a legitimate Windows binary such as `w3wp.exe` or `conn.exe`.", "has created a scheduled task named `CalendarChecker` for persistence on compromised hosts.", - "masqueraded Registry run keys as legitimate-looking service names such as `OneNote Update` during ." + "masqueraded Registry run keys as legitimate-looking service names such as `OneNote Update` during .", + "has created services that attempt to resemble legitimate services to include a service named `Microsoft Windows DeviceSync Service`.", + "has named a file fgfm in an attempt to disguise it as the legitimate service fgfmd which facilitates communication between FortiManager and the FortiGate firewall.", + "has utilized VMware service names and ports to masquerade as legitimate services.", + "has masqueraded as the legitimate Windows utility service DISMsrv (Dism Images Servicing Utility Service).", + "has utilized masqueraded as svhost.exe and scvhost.exe." ], "description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)", "similar_words": [ @@ -21415,7 +22077,8 @@ "has set up auto forwarding rules on compromised e-mail accounts.", "has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account.", "has set auto-forward rules on victim's e-mail accounts.", - "has abused email forwarding rules to monitor the activities of a victim steal information and maintain persistent access after compromised credentials are reset." + "has abused email forwarding rules to monitor the activities of a victim steal information and maintain persistent access after compromised credentials are reset.", + "has redirected emails notifying users of suspicious account activity." ], "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victims organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)In some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives. ", "similar_words": [ @@ -21444,7 +22107,7 @@ "During the registered devices in order to enable mailbox syncing via the `Set-CASMailbox` command.", "During registered devices for MFA to maintain persistence through victims' VPN." ], - "description": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a users credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)Similarly, an adversary with existing access to a network may register a device to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) Devices registered in Entra ID may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Entra ID tenant by registering a large number of devices.(Citation: AADInternals - BPRT)", + "description": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a users credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)Similarly, an adversary with existing access to a network may register a device or a virtual machine to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537)(Citation: Expel Atlas Lion 2025)Devices registered in Entra ID may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Entra ID tenant by registering a large number of devices.(Citation: AADInternals - BPRT)", "similar_words": [ "Device Registration" ], @@ -21517,7 +22180,9 @@ "has injected into the Explorer.exe process on comrpomised hosts.", "can use its own PE loader to execute payloads in memory.", "can inject its decrypted payload into another process.", - "following payload decryption creates a process hard-coded into the dropped (e.g. WerFault.exe) and injects the decrypted core modules into it." + "following payload decryption creates a process hard-coded into the dropped (e.g. WerFault.exe) and injects the decrypted core modules into it.", + "has itself injected into `C:\\\\Windows\\\\System32\\\\Werfault.exe` on targeted systems.", + "During the uses the SigFlip tool to inject arbitrary code without affecting or breaking the file's signature." ], "description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. ", "similar_words": [ @@ -21567,7 +22232,8 @@ "has used large groups of compromised machines for use as proxy nodes.", "has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.", "Volt Typhoon has used compromised Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support operations.", - "has used compromised devices in covert networks to obfuscate communications." + "has used compromised devices in covert networks to obfuscate communications.", + "has compromised various branded SOHO routers to form a botnet that has been leveraged in password spraying activity." ], "description": "Adversaries may compromise numerous third-party systems to form a botnetthat can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).", "similar_words": [ @@ -21578,7 +22244,8 @@ "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4": { "name": "Network Device CLI", "example_uses": [ - "can execute native commands in networking device command line interfaces." + "can execute native commands in networking device command line interfaces.", + "During accessed the Junos OS CLI on targeted devices." ], "description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.(Citation: Cisco Synful Knock Evolution)", "similar_words": [ @@ -21587,13 +22254,14 @@ "id": "T1059.008" }, "attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3": { - "name": "Bash History", + "name": "Shell History", "example_uses": [ "has searched bash_history for credentials." ], - "description": "Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the users .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the users last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)", + "description": "Adversaries may search the command history on compromised systems for insecurely stored credentials.On Linux and macOS systems, shells such as Bash and Zsh keep track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user's history file. For each user, this file resides at the same location: for example, `~/.bash_history` or `~/.zsh_history`. Typically, these files keeps track of the user's last 1000 commands.On Windows, PowerShell has both a command history that is wiped after the session ends, and one that contains commands used in all sessions and is persistent. The default location for persistent history can be found in `%userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt`, but command history can also be accessed with `Get-History`. Command Prompt (CMD) on Windows does not have persistent history.(Citation: Microsoft about_History)(Citation: Medium)Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.(Citation: External to DA, the OS X Way)", "similar_words": [ - "Bash History" + "Bash History", + "Shell History" ], "id": "T1552.003" }, @@ -21654,7 +22322,8 @@ "used to obtain passwords in files.", "has dumped configuration settings in accessed IP cameras including plaintext credentials.", "gathered credentials stored in files related to Building Management System (BMS) operations during .", - "searches for and if found collects the contents of files such as `logins.json` and `key4.db` in the `$APPDATA%\\Thunderbird\\Profiles\\` directory associated with the Thunderbird email application." + "searches for and if found collects the contents of files such as `logins.json` and `key4.db` in the `$APPDATA%\\Thunderbird\\Profiles\\` directory associated with the Thunderbird email application.", + "During threat actors accessed web.config and machine.config to extract MachineKey values enabling them to forge legitimate VIEWSTATE tokens for future deserialization payloads." ], "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)", "similar_words": [ @@ -21742,7 +22411,9 @@ "name": "Link Target", "example_uses": [ "has created a link to a Dropbox file that has been used in their spear-phishing operations.", - "has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. has also made use of a variety of URL shorteners for these staged websites." + "has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. has also made use of a variety of URL shorteners for these staged websites.", + "During threat actors established an Okta phishing panel which victims were tricked into accessing from mobile phones or work computers during social engineering calls.", + "has created a fake link that redirected to an adversary-controlled Dropbox that downloaded the malicious executable." ], "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001).Links can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking)Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs (including one-time, single use links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)", "similar_words": [ @@ -21762,7 +22433,18 @@ "targets organizations in high technology higher education and manufacturing for business email compromise (BEC) campaigns with the goal of financial theft.", "has stolen and encrypted victim's data in order to extort payment for keeping it private or decrypting it.", "has stolen and laundered cryptocurrency to self-fund operations including the acquisition of infrastructure.", - "demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltrated from victim networks." + "demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltrated from victim networks.", + "has been leveraged in double-extortion ransomware exfiltrating files then encrypting them to prompt victims to pay a ransom.", + "has searched the victim device credentials and files commonly associated with cryptocurrency wallets.", + "has stolen cryptocurrency wallet credentials and credit card information utilizing and malware.", + "has collected data from cryptocurrency wallets and harvested credit cards details from browsers.", + "During threat actors demanded ransom payments to unencrypt filesystems and to refrain from publishing sensitive data exfiltrated from victim networks.", + "has engaged in double-extortion ransomware exfiltrating data and directly contacting victims when the primary organization refuses to pay along with posting data on their data leak sites.", + "has targeted the cryptocurrency industry with the goal of stealing digital assets.", + "has deployed ransomware on compromised hosts and threatened to leak stolen data for financial gain.", + "has stolen and encrypted victims' data in order to extort victims into paying a ransom.", + "has searched the victim device for browser extensions commonly associated with cryptocurrency wallets.", + "has extorted victims for ransomware decryption keys and to prevent publication of data exfiltrated to their data leak site." ], "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) Adversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.(Citation: Mandiant-leaks) Adversaries may use dedicated leak sites to distribute victim data.(Citation: Crowdstrike-leaks)Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", "similar_words": [ @@ -21803,7 +22485,9 @@ "enumerated logs related to authentication in Linux environments prior to deleting selective entries for defense evasion purposes.", "can identify infected system log information.", "has the ability to print the trace debug error info and warning logs.", - "can enumerate the trace debug error info and warning logs on targeted systems." + "can enumerate the trace debug error info and warning logs on targeted systems.", + "has identified .ldb and .log files stored in browser extension directories for collection and exfiltration.", + "has used to gather Windows Security Event Logs." ], "description": "Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agents `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)", "similar_words": [ @@ -21831,7 +22515,8 @@ "impersonates the main thread of CExecSvc.exe by calling NtImpersonateThread.", "has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.", "has the ability to duplicate the users token. For example may use a variant of Googles ProtoBuf to send messages that specify how code will be executed.", - "During threat actors used custom tooling to acquire tokens using `ImpersonateLoggedOnUser/SetThreadToken`." + "During threat actors used custom tooling to acquire tokens using `ImpersonateLoggedOnUser/SetThreadToken`.", + "has a module capable of token impersonation." ], "description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.", "similar_words": [ @@ -21855,7 +22540,9 @@ "example_uses": [ "During used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.", "has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally into a cloud environment including through the use of Azure AD PowerShell.", - "During used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes." + "During used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.", + "has used compromised Entra Connect Sync Server to move laterally within the victim environment.", + "has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes." ], "description": "Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user. Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., [Cloud API](https://attack.mitre.org/techniques/T1059/009)), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.In some cases, adversaries may be able to authenticate to these services via [Application Access Token](https://attack.mitre.org/techniques/T1550/001) instead of a username and password. ", "similar_words": [ @@ -21869,7 +22556,9 @@ "can use port-knocking to authenticate itself to another implant called Cryshell to establish an indirect connection to the C2 server.", "has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.", "has authenticated itself to a different implant Cryshell through a port knocking and handshake procedure.", - "can monitor for a single TCP-SYN packet to be sent in series to a configurable set of ports (200 80 22 53 and 3 in the original code) before opening a port for communication." + "can monitor for a single TCP-SYN packet to be sent in series to a configurable set of ports (200 80 22 53 and 3 in the original code) before opening a port for communication.", + "has the ability to control compromised endpoints via port knocking.", + "maintained persistence on FortiGate Firewalls through ICMP port knocking." ], "description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.", "similar_words": [ @@ -21879,7 +22568,12 @@ }, "attack-pattern--887274fc-2d63-4bdc-82f3-fae56d1d5fdc": { "name": "LNK Icon Smuggling", - "example_uses": [], + "example_uses": [ + "has used the LNK icon location to execute malicious scripts. has also padded the LNK target field properties with extra spaces to obscure the script.", + "has used LNK files to hide malicious scripts for execution.", + "has been initiated using LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.", + "has utilized LNK files to hide malicious scripts for execution. has also leveraged LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary." + ], "description": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads. ", "similar_words": [ "LNK Icon Smuggling" @@ -21911,7 +22605,12 @@ "has established GitHub accounts to host its toolsets.", "has leveraged the Discord content delivery network to host malicious content for retrieval during initial access operations.", "has used Google Firebase to host malicious scripts.", - "included the use of OpenConnect VPN Server instances for conducting actions on victim devices." + "included the use of OpenConnect VPN Server instances for conducting actions on victim devices.", + "has used web services such as Dropbox to receive stolen data and Google Drive Firebase GitHub and Telegram to disseminate files. has also used a cloud platform such as Vercel for C2 operations leveraging malicious web applications and static pages. has also used Slack to coordinate their activities.", + "has utilized a file hosting service named filemail[.]com to host a zip file that contained malicious payloads that facilitated follow-on actions.", + "has set up Dropbox and Google Drive to host malicious downloads.", + "has used Cloudflares TryClouldflare service to obtain C2 nodes.", + "has hosted content used for targeting efforts via web services such as Blogspot. has also leveraged Dropbox for hosting payloads and uploading victim system information." ], "description": "Adversaries may register for web servicesthat can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29)(Citation: Hacker News GitHub Abuse 2024) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", "similar_words": [ @@ -21953,7 +22652,8 @@ "example_uses": [ "can generate SSH and API keys for AWS infrastructure and additional API keys for other IAM users.", "During used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.", - "During the added credentials to OAuth Applications and Service Principals." + "During the added credentials to OAuth Applications and Service Principals.", + "has reset the password of identified administrator accounts that lack MFA and registered their own MFA method." ], "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. Alternatively, they may use the CreateLoginProfile API in AWS to add a password that can be used to log into the AWS Management Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation: Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024) If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Entra ID environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principals roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original accounts API credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence)In Entra ID environments with the app password feature enabled, adversaries may be able to add an app password to a user account.(Citation: Mandiant APT42 Operations 2024) As app passwords are intended to be used with legacy devices that do not support multi-factor authentication (MFA), adding an app password can allow an adversary to bypass MFA requirements. Additionally, app passwords may remain valid even if the users primary password is reset.(Citation: Microsoft Entra ID App Passwords)", "similar_words": [ @@ -21974,7 +22674,8 @@ "has the ability to change the background wallpaper image to display the ransom note.", "renames disk labels on victim hosts to the threat actor's email address to enable the victim to contact the threat actor for ransom negotiation.", "left ransom notes in all directories where encryption takes place.", - "has placed a ransom note on comrpomised systems to warn victims and provide directions for how to retrieve data." + "has placed a ransom note on comrpomised systems to warn victims and provide directions for how to retrieve data.", + "can set the wallpaper on compromised hosts to display a ransom message." ], "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)", "similar_words": [ @@ -22046,7 +22747,8 @@ "can enumerate Azure AD users.", "can enumerate Azure AD users.", "has conducted enumeration of Azure AD accounts.", - "can enumerate IAM users roles and groups." + "can enumerate IAM users roles and groups.", + "has conducted enumeration of users roles and resources within victim Azure tenants using the tool Azurehound." ], "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) The AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)", "similar_words": [ @@ -22062,7 +22764,11 @@ "sets the `MYSQL_HISTFILE` and `HISTFILE` to `/dev/null` preventing the shell and MySQL from logging history in `/proc//environ`.", "can disable syslog on compromised devices.", "unset the Bash and MySQL history files on victim systems.", - "included disabling logging on targeted Cisco ASA appliances." + "included disabling logging on targeted Cisco ASA appliances.", + "During used malware to clear the `HISTFILE` environmental vaiable and to inject into Junos OS processes to inhibit logging.", + "has removed PowerShell command history through the use of the PSReadLine module by running the PowerShell command `Remove-Item (Get-PSReadlineOption).HistorySavePath`.", + "has tampered with and disabled logging services on targeted systems.", + "can impair logging by setting the `HISTFILE` environmental variable to `0` and stopping the `vmsyslogd` service." ], "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. The `HISTFILE` environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that ls will not be saved, but ls would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands. On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. no logging).", "similar_words": [ @@ -22129,7 +22835,8 @@ "has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.", "loader only executes the payload after the left mouse button has been pressed at least three times in order to avoid being executed within virtualized or emulated environments.", "used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.", - "has used a splash screen to check whether an user actively clicks on the screen before running malicious code." + "has used a splash screen to check whether an user actively clicks on the screen before running malicious code.", + "has leveraged `GetForegroundWindow` to detect virtualization or sandboxes by calling the API twice and comparing each window handle." ], "description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017) ", "similar_words": [ @@ -22172,7 +22879,8 @@ "has gathered information on victim organizations through email and social media interaction.", "has conducted extensive reconnaissance pre-compromise to gain information about the targeted organization.", "has used large language models (LLMs) to gather information about satellite capabilities.", - "has collected victim organization information including but not limited to organization hierarchy functions press releases and others. has also used large language models (LLMs) to gather information about potential targets of interest." + "has collected victim organization information including but not limited to organization hierarchy functions press releases and others. has also used large language models (LLMs) to gather information about potential targets of interest.", + "has compiled a list of victims by filtering companies by revenue using Zoominfo which is a service that provides business information." ], "description": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", "similar_words": [ @@ -22225,7 +22933,9 @@ "can modify the `visits.py` component of Ivanti Connect Secure VPNs for file download and arbitrary command execution.", "uses DLL unhooking to remove user mode inline hooks that security solutions often implement. also uses IAT unhooking to remove user-mode IAT hooks that security solutions also use.", "modifies the `keyutils` library to add malicious behavior to the OpenSSH client and the curl library.", - "contains a watchdog-like feature that monitors a particular file for modification. If modification is detected the legitimate file is backed up and replaced with a trojanized file to allow for persistence through likely system upgrades." + "contains a watchdog-like feature that monitors a particular file for modification. If modification is detected the legitimate file is backed up and replaced with a trojanized file to allow for persistence through likely system upgrades.", + "has trojanized Fortinet firmware and replaced the legitimate `/usr/bin/tac_plus` TACACS+ daemon for Linux with a malicious version containing credential logging functionality.", + "During peformed a local memory patching attack to modify the snmpd and mgd Junos OS daemons." ], "description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binarys legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)", "similar_words": [ @@ -22462,7 +23172,19 @@ "has used PowerShell for initial user execution and other fuctions.", "can use the PowerShell module `InvokeGPUpdate` to modify Group Policy.", "has used PowerShell to download and run additional content.", - "can use PowerShell to execute commands received from C2." + "can use PowerShell to execute commands received from C2.", + "has leveraged PowerShell to execute commands and scripts.", + "used a PowerShell script to launch shellcode that retrieved an additional payload. Additionally has executed a custom obfuscation of the shellcode invoker in called POWERTRASH.", + "can facilitate the execution of PowerShell commands.", + "During threat actors used PowerShell to execute attacker-controlled encoded commands.", + "has leveraged PowerShell for execution and defense evasion. has also utilized PowerShell to execute a bitsadmin transfer from file hosting site.", + "has used a PowerShell script to search memory dumps for credentials.", + "has used obfuscated PowerShell scripts for staging. Additionally (LinkById: G0047) has used PowerShell based tools later in its attack chain. Additionally has used the PowerShell cmdlet `Get-Command` to download and execute the next stage payload.", + "has executed a variety of PowerShell scripts including Invoke-Mimikatz. has also utilized PowerShell scripts for execution persistence and defense evasion.", + "has launched PowerShell scripts for execution and defense evasion.", + "has used the PowerShell cmdlet Get-ADUser.", + "has been deployed on VMware vCenter and ESXi servers via custom PowerShell script.", + "has utilized a PowerShell script created in the victims home directory named conf.ps1 that is used to modify configuration files for AnyDesk remote services." ], "description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)", "similar_words": [ @@ -22515,7 +23237,10 @@ "can conduct peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.", "can use SMB to transfer files.", "has used FTP to download additional malware to the target machine.", - "has used FTP for C2 communications." + "has used FTP for C2 communications.", + "has used a File Transfer Protocol (FTP) server to download malicious binaries.", + "has used `curl` for data exfiltration over FTP.", + "can use an SMB listener for C2 communication." ], "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMB(Citation: US-CERT TA18-074A), FTP(Citation: ESET Machete July 2019), FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "similar_words": [ @@ -22837,7 +23562,15 @@ "has created registry keys to maintain persistence using `HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run`.", "can persist using malicious LNK objects in the victim machine Startup folder.", "has used Registry Run keys for persistence.", - "establishes persistence by copying its executable in a subdirectory of `%APPDATA%` or `%PROGRAMFILES%` and then modifies Windows Registry Run keys or policies keys to execute the executable on system start." + "establishes persistence by copying its executable in a subdirectory of `%APPDATA%` or `%PROGRAMFILES%` and then modifies Windows Registry Run keys or policies keys to execute the executable on system start.", + "has added Registry Run keys to achieve persistence using `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`.", + "has added Registry Run keys to achieve persistence.", + "adds Run key entries in the Registry to establish persistence. has established persistence via the registry keys `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` and `HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`.", + "has created a runonce autostart entry at `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce*aster = %Public%\\enc.exe` pointing to a dropped copy of itself in the Public folder.", + "has modified the Windows Registry to start a custom service named irnagentd in Safe Mode.", + "has created the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\AdobelmdyU to maintain persistence. has also established persistence via the registry key `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`.", + "has established persistence within Windows devices by creating a .bat file queue.bat within the Startup folder to run a Python script.", + "has established persistence using malware to place a .bat file in the Startup Folder." ], "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.The following run keys are created by default on Windows systems:* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.The following Registry keys can be used to set startup folder items for persistence:* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell FoldersThe following Registry keys can control automatic startup of services during boot:* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\RunPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run automatically for the currently logged-on user.By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "similar_words": [ @@ -22905,7 +23638,9 @@ "researched Ukraine's unique legal entity identifier (called an EDRPOU number) including running queries on the EDRPOU website in preparation for the attack. has also researched third-party websites to help it craft credible spearphishing emails.", "has conducted pre-compromise web searches for victim information.", "has used open-source research to identify information about victims to use in targeting.", - "has used LLMs to identify think tanks government organizations etc. that have information." + "has used LLMs to identify think tanks government organizations etc. that have information.", + "has used open-source research to identify information about victims to use in targeting to include creating weaponized phishing lures and attachments.", + "has utilized open-source indicator of compromise repositories to determine their exposure to include VirusTotal and MalTrail." ], "description": "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).", "similar_words": [ @@ -22918,7 +23653,8 @@ "example_uses": [ "can use kernel modules to establish persistence.", "has the ability to install several loadable kernel modules (LKMs) on infected machines.", - "During attackers used a signed kernel rootkit to establish additional persistence." + "During attackers used a signed kernel rootkit to establish additional persistence.", + "The rootkit is implemented as a loadable kernel module (LKM)." ], "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide)Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as \"Legacy System Extensions\" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)", "similar_words": [ @@ -23051,9 +23787,15 @@ "has used publicly-available tools such as a Python-based cookie stealer for Chrome browsers and the Venom proxy tool.", "has used publicly available tooling to exploit vulnerabilities.", "leverages a C2 framework sourced from a publicly-available Github repository for administration of relay nodes.", - "has used built-in features in the Microsoft 365 environment and publicly available tools to avoid detection." + "has used built-in features in the Microsoft 365 environment and publicly available tools to avoid detection.", + "has obtained and leveraged numerous RMM services along with publicly available tools used for scanning. has utilized tools such as Advanced IP Scanner and SoftPerfect Network scanner for user system and network discovery. has also acquired tools for command and control and defense evasion which include tunneling tools Ligolo and Cloudflared.", + "has obtained tools for use throughout the attack lifecycle to include remote access software protocol tunneling and proxy tools exploitation frameworks and reconnaissance tools.", + "has used remote management and monitoring software such as AnyDesk.", + "has obtained and leveraged publicly-available tools for intrusion activities.", + "During threat actors initially relied on the legitimate Salesforce Data Loader app for data exfiltration.", + "During threat actors leveraged tools including and ." ], - "description": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).", + "description": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. Tools may also be leveraged for testing for example, evaluating malware against commercial antivirus or endpoint detection and response (EDR) applications.(Citation: Forescout Conti Leaks 2022)(Citation: Sentinel Labs Top Tier Target 2025)Tool acquisition may involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). Threat actors may also crack trial versions of software.(Citation: Recorded Future Beacon 2019)", "similar_words": [ "Tool" ], @@ -23118,7 +23860,8 @@ "campaigns have used spearphishing emails for initial access.", "has used phishing to gain initial access.", "has used spearphishing to gain initial access and intelligence.", - "used spear phishing to gain initial access to victims." + "used spear phishing to gain initial access to victims.", + "has used spearphishing emails to distribute malicious payloads." ], "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1672)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., \"thread hijacking\").(Citation: phishing-krebs)Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)", "similar_words": [ @@ -23201,7 +23944,12 @@ "has routed traffic through chains of compromised network devices to proxy C2 communications.", "has routed traffic through a customized relay network layer.", "has used tools such as the publicly available HTran tool for proxying traffic in victim environments.", - "is capable of relaying traffic from command and control servers to follow-on systems." + "is capable of relaying traffic from command and control servers to follow-on systems.", + "has used TOR nodes for communications.", + "During threat actors used IPs for voice calls and for the collection of stolen data.", + "has routed traffic through chains of compromised network devices for password spray attacks.", + "has used for C2 traffic.", + "During used infrastructure associated with operational relay box (ORB) networks." ], "description": "Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.For example, adversaries may construct or use onion routing networks such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing) Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations.(Citation: ORB Mandiant) In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organizations Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport. Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)", "similar_words": [ @@ -23263,7 +24011,16 @@ "has executed multiple Bash controller scripts to provide command line inputs for FLORAHOX traversal configurations.", "reads command line arguments and parses them for functionality when executed from a Linux shell and can execute arbitrary strings passed to it as shell commands.", "used shell scripts for post-exploitation execution in victim environments.", - "The agent is executed through a command line argument which specifies an interface and listening port." + "The agent is executed through a command line argument which specifies an interface and listening port.", + "has the ability to spawn BusyBox command shell in victim environments.", + "has targeted macOS victim hosts using a bash downloader coremedia.sh and a bash script cloud.sh.", + "has used the command shell to upload and install the Teleport remote access tool to a compromised vCenter Server Appliance.", + "During used malware capable of launching an interactive shell.", + "has the ability to spawn a bash shell for script execution.", + "can deploy components automatically with shell scripts.", + "has enabled the creation of an access-controlled command shell /bin/sh on compromised routers.", + "has used a bash script to install malicious vSphere Installation Bundles (VIBs).", + "can execute commands with `/bin/sh`." ], "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.Some systems, such as embedded devices, lightweight Linux distributions, and ESXi servers, may leverage stripped-down Unix shells via Busybox, a small executable that contains a variety of tools, including a simple shell.", "similar_words": [ @@ -23386,9 +24143,19 @@ "disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.", "contains an unused capability to block endpoint security solutions from loading user-mode code hooks via a DLL in a specified process by using the `UpdateProcThreadAttributeAPI` to set the `PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY` to `PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON` for an identified process.", "has unhooked DLLs to disable endpoint detection and response (EDR) or anti-virus (AV) tools.", - "adds .JS and .EXE extensions to the Microsoft Defender exclusion list. terminates and removes the Raccine anti-ransomware utility." - ], - "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tools exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)Adversaries may also focus on specific applications such as Sysmon. For example, the Start and Enable values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)", + "adds .JS and .EXE extensions to the Microsoft Defender exclusion list. terminates and removes the Raccine anti-ransomware utility.", + "has disabled OpenSSL digital signature verification of system files through corruption of boot files.", + "has terminated antivirus services utilizing the gaze.exe executable and utilizing `psexec.exe`. has also leveraged I/O control codes (IOCTLs) for terminating and deleting processes of identified security tools.", + "can disable security software and update services.", + "has convinced victims to disable Docker and other container environments and run code on their machine natively in attempts to bypass container isolation and ensure device infection.", + "During threat actors disabled Microsoft Defender through Registry settings and real-time monitoring via PowerShell.", + "has uninstalled and disabled security tools.", + "has disabled the TP-Link management interface for TP-Link by killing the /usr/bin/httpd process.", + "has identified and disabled API callback features of Windows Defender and Kaspersky.", + "has terminated antivirus services utilizing the gaze.exe executable. has also terminated antivirus services utilizing PowerShell scripts.", + "can terminate antivirus-related processes and services." + ], + "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)Adversaries may trigger a denial-of-service attack via legitimate system processes. It has been previously observed that the Windows Time Travel Debugging (TTD) monitor driver can be used to initiate a debugging session for a security tool (e.g., an EDR) and render the tool non-functional. By hooking the debugger into the EDR process, all child processes from the EDR will be automatically suspended. The attacker can terminate any EDR helper processes (unprotected by Windows Protected Process Light) by abusing the Process Explorer driver. In combination this will halt any attempt to restart services and cause the tool to crash.(Citation: Cocomazzi FIN7 Reboot)Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tools exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)Adversaries may also focus on specific applications such as Sysmon. For example, the Start and Enable values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)", "similar_words": [ "Disable or Modify Tools" ], @@ -23419,7 +24186,11 @@ "can retrieve output from arbitrary processes and shell commands via a pipe.", "can use interprocess communication (IPC) to enable the designation of multiple files for exfiltration in a scalable manner.", "During threat actors wrote output to stdout then piped it to bash for execution.", - "can read the results of command line execution via an unnamed pipe connected to the process." + "can read the results of command line execution via an unnamed pipe connected to the process.", + "The SMB demon can use named pipes for communication through a parent demon.", + "During the 's VEILEDSIGNAL creates and listens on a Windows named pipe to exchange messages between modules.", + "has leveraged the `CreatePipe` API to enable inter-process communication.", + "has facilitated inter-process communication between DLL components via the use of pipes. has also created a reverse shell using two anonymous pipes to write data to stdin and read data from stdout and stderr." ], "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)", "similar_words": [ @@ -23491,7 +24262,8 @@ "has undergone regular technical improvements in an attempt to evade detection.", "has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.", "Based on comparison of versions made an effort to obfuscate strings in the malware that could be used as IoCs including the mutex name and named pipe.", - "has been known to remove indicators of compromise from tools." + "has been known to remove indicators of compromise from tools.", + "has replaced atomic indicators mentioned in threat intelligence publications sometimes as quickly as under a week after release." ], "description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.", "similar_words": [ @@ -23573,7 +24345,16 @@ "has used non-standard ports such as TCP 8080 for HTTP communication.", "has used random high number ports for listeners on victim devices.", "has used random high-number non-standard ports to listen for subsequent actions and C2 activities.", - "During used non-standard ports such as TCP 8080 for HTTP communication." + "During used non-standard ports such as TCP 8080 for HTTP communication.", + "has used TCP port 1224 for C2.", + "During used a backdoor that binds to port 45678 by default.", + "has communicated with C2 IP addresses over ports 1224 or 1244.", + "has used port-protocol mismatches on ports such as 53 80 443 and 8080 during C2. has used TCP ports 59999 and 9898 for firewall rules.", + "has used non-standard TCP ports such as 7777 11288 63256 63210 3256 and 3556 for C2.", + "has created listeners on hard coded TCP port 546.", + "has used port 6856 for C2 communications.", + "has been observed utilizing HTTP communications to the C2 server over ports 1224 2245 and 8637.", + "has created listeners on hard coded TCP ports such as 2233 7475 and 18098." ], "description": "Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)", "similar_words": [ @@ -23598,7 +24379,11 @@ "has used a Twitter account to communicate with ransomware victims.", "has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.", "has established fraudulent profiles on professional networking sites to conduct reconnaissance.", - "has created social media accounts to interact with victims." + "has created social media accounts to interact with victims.", + "has created matching fake social media profiles to support new accounts created in victim environments.", + "has created social media accounts including Telegram and X to publicize their activities.", + "operates a news channel on Telegram to make announcements for the RaaS.", + "has created fake social media accounts such as LinkedIn and Telegram accounts for their targeting efforts." ], "description": "Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", "similar_words": [ @@ -23677,7 +24462,7 @@ "has removed a targeted organization's global admin accounts to lock the organization out of all access.", "changes the password for local and domain users via net.exe to a random 32 character string to prevent these accounts from logging on. Additionally will terminate the winlogon.exe process to prevent attempts to log on to the infected system." ], - "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. Accounts could also be disabled by Group Policy. In Linux, the passwd utility may be used to change passwords. On ESXi servers, accounts can be removed or modified via esxcli (`system account set`, `system account remove`).Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. ", + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts.(Citation: Obsidian Security SaaS Ransomware June 2023) Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. Accounts could also be disabled by Group Policy. In Linux, the passwd utility may be used to change passwords. On ESXi servers, accounts can be removed or modified via esxcli (`system account set`, `system account remove`).Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. ", "similar_words": [ "Account Access Removal" ], @@ -23743,7 +24528,8 @@ "establishes persistence on webservers as an IIS module.", "is an IIS post-exploitation framework consisting of 18 modules that provide several functionalities.", "During targeted Windows servers running Internet Information Systems (IIS) to install C2 components.", - "has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL." + "has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL.", + "During threat actors modified Internet Information Services (IIS) components to load suspicious .NET assemblies for persistence." ], "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)", "similar_words": [ @@ -23761,7 +24547,8 @@ "has used revoked certificates to sign malware.", "The client has been signed by fake and invalid digital certificates.", "has used an invalid certificate in attempt to appear legitimate.", - "has used unverified signatures on malicious DLLs." + "has used unverified signatures on malicious DLLs.", + "has used a revoked certificate to exploit Windows driver execution policy where certificates issued before a specific date could still load." ], "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)Unlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.", "similar_words": [ @@ -23776,7 +24563,7 @@ "has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables to encrypt files on the host operating system including files on any mapped drives.", "has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine which runs XMRig and makes connections to the C2 server for updates." ], - "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid `.vmx` file with the `/bin/vmx` utility. Adding this command to `/etc/rc.local.d/local.sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037/004)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the `vim-cmd vmsvc/getallvms` command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)", + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)Adversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)Threat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the `` property supports the creation of a shared folder, while the `` property allows the specification of a payload.(Citation: ESET MirrorFace 2025)(Citation: ITOCHU Hack the Sandbox)(Citation: ITOCHU Sandbox PPT)In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid `.vmx` file with the `/bin/vmx` utility. Adding this command to `/etc/rc.local.d/local.sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037/004)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the `vim-cmd vmsvc/getallvms` command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)", "similar_words": [ "Run Virtual Instance" ], @@ -23803,7 +24590,8 @@ "maintains persistence on an infected machine through rc.local and .bashrc files.", "can establish persistence on a compromised host through modifying the `profile` `login` and run command (rc) files associated with the `bash` `csh` and `tcsh` shells.", "During threat actors executed commands on interactive and reverse shells.", - "Using adds it's executable to the user's `~/.zshrc_aliases` file (`echo & payload & > ~/zshrc_aliases`) it then adds a line to the .zshrc file to source the `.zshrc_aliases` file (`[ -f $HOME/.zshrc_aliases ] && . $HOME/.zshrc_aliases`). Each time the user starts a new `zsh` terminal session the `.zshrc` file executes the `.zshrc_aliases` file." + "Using adds it's executable to the user's `~/.zshrc_aliases` file (`echo & payload & > ~/zshrc_aliases`) it then adds a line to the .zshrc file to source the `.zshrc_aliases` file (`[ -f $HOME/.zshrc_aliases ] && . $HOME/.zshrc_aliases`). Each time the user starts a new `zsh` terminal session the `.zshrc` file executes the `.zshrc_aliases` file.", + "has targeted macOS victim hosts using a bash downloader `coremedia.sh` and a bash script `cloud.sh`." ], "description": "Adversaries may establish persistence through executing malicious commands triggered by a users shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the users home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the users environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.", "similar_words": [ @@ -23940,7 +24728,9 @@ "used Regsvr32 to bypass application control techniques.", "uses RegSvr32 to execute the DLL payload.", "can create SCT files for installation via `Regsvr32` to deploy new Grunt listeners.", - "uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with nodes." + "uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with nodes.", + "has used regsvr32.exe to execute the windows `DLLRegisterServer` function.", + "has launched Beacon files using regsvr32.exe." ], "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a \"Squiblydoo\" and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)", "similar_words": [ @@ -23964,7 +24754,7 @@ "has researched software code to enable supply-chain operations most notably for the 2017 attack. also collected a list of computers using specific software as part of its targeting efforts.", "has inserted a malicious script within compromised websites to collect potential victim information such as browser type system language Flash Player version and other data." ], - "description": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "description": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Additionally, adversaries may analyze metadata from victim-owned files (e.g., PDFs, DOCs, images, and sound files hosted on victim-owned websites) to extract information about the software and hardware used to create or process those files. Metadata may reveal software versions, configurations, or timestamps that indicate outdated or vulnerable software. This information can be cross-referenced with known CVEs to identify potential vectors for exploitation in future operations.(Citation: Outpost24)Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "similar_words": [ "Software" ], @@ -23976,7 +24766,7 @@ "During impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.", "has initiated voice calls with victims posing as IT support to prompt users to download and execute scripts and other tools for initial access." ], - "description": "Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Tools](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth)Adversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing)", + "description": "Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Tools](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth)Adversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing)", "similar_words": [ "Spearphishing Voice" ], @@ -23986,7 +24776,8 @@ "name": "Exploits", "example_uses": [ "has exploited zero-day vulnerabilities for initial access.", - "has rapidly transformed and adapted public exploit proof-of-concept code for new vulnerabilities and utilized them against target networks." + "has rapidly transformed and adapted public exploit proof-of-concept code for new vulnerabilities and utilized them against target networks.", + "has used zero-day vulnerabilities CVE-2022-41328 against FortiOS and CVE-2023-20867 and CVE-2023-34048 against VMware vCenter." ], "description": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", "similar_words": [ @@ -23999,7 +24790,8 @@ "example_uses": [ "has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.", "has copied data from social media sites to impersonate targeted individuals.", - "For used LinkedIn to identify and target employees within a chosen organization." + "For used LinkedIn to identify and target employees within a chosen organization.", + "had identified and solicited victims through social media such as LinkedIn X and Telegram." ], "description": "Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victims into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", "similar_words": [ @@ -24023,7 +24815,7 @@ "can add a CLSID key for payload execution through `Registry.CurrentUser.CreateSubKey(Software\\\\Classes\\\\CLSID\\\\{ + clsid + }\\\\InProcServer32)`.", "has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A})." ], - "description": "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. ", + "description": "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry. Adversaries may use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. One variation of COM hijacking involves abusing Type Libraries (TypeLibs), which provide metadata about COM objects, such as their interfaces and methods. Adversaries may modify Registry keys associated with TypeLibs to redirect legitimate COM object functionality to malicious scripts or payloads. Unlike traditional COM hijacking, which commonly uses local DLLs, this variation may leverage the \"script:\" moniker to execute remote scripts hosted on external servers.(Citation: RELIAQUEST) This approach enables stealthy execution of code while maintaining persistence, as the remote payload would be automatically downloaded whenever the hijacked COM object is accessed.", "similar_words": [ "Component Object Model Hijacking" ], @@ -24062,7 +24854,8 @@ "During the gained initial network access to some victims via a trojanized update of SolarWinds Orion software.", "has gained initial access by compromising a victim's software supply chain.", "is associated with several supply chain compromises using malicious updates to compromise victims.", - "has distributed a trojanized version of PuTTY software for initial access to victims." + "has distributed a trojanized version of PuTTY software for initial access to victims.", + "During the first compromised an end-of-life trading software application which was downloaded and executed inside the 3CX enterprise environment. The second compromise modified the Windows and macOS build environments used to distribute the 3CX software to their customer base." ], "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) ", "similar_words": [ @@ -24146,7 +24939,10 @@ "uses the Microsoft Graph API to connect to an actor-controlled OneDrive account to download and execute files and shell commands and to create directories to share exfiltrated data.", "can use a REST-based Microsoft Graph API to access draft messages in a shared Microsoft Office 365 Outlook email account used for C2 communication.", "has used a Github repository for C2.", - "has used virtual private servers (VPS) for command and control traffic as well as third-party cloud services in more recent variants." + "has used virtual private servers (VPS) for command and control traffic as well as third-party cloud services in more recent variants.", + "can retrieve C2 commands from an encrypted file on Google Drive then upload the results of command execution back to Google Drive.", + "has used Blogspot pages and a Github repository for C2. has also leveraged Dropbox for downloading payloads and uploading victim system information.", + "has used several ways to try to resolve the C2 server including: public third-party websites an adversary-operated Telegraph channel the utility and the TXT record of a hardcoded C2 domain." ], "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", "similar_words": [ @@ -24277,7 +25073,10 @@ "has used tools such as with command and control communication taking place over HTTPS.", "has used HTTPS for command and control purposes.", "can use the OpenSSL library to encrypt C2 communications.", - "uses reverse proxy functionality that employs SSL to encrypt communications." + "uses reverse proxy functionality that employs SSL to encrypt communications.", + "can use TLS over raw TCP for secure C2.", + "can initiate a C2 connection over an SSL socket.", + "has used HTTPS for command and control." ], "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receivers public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).", "similar_words": [ @@ -24324,7 +25123,14 @@ "has used tools such as to exfiltrate information from victim environments to cloud storage such as `mega.nz`.", "exfiltrated collected information to OneDrive.", "can use an attacker-controlled OneDrive account for exfiltration.", - "can exfiltrate files to an actor-controlled OneDrive account via the Microsoft Graph API." + "can exfiltrate files to an actor-controlled OneDrive account via the Microsoft Graph API.", + "has exfiltrated stolen files and data to actor-controlled Blogspot accounts. has also leveraged Dropbox for uploading victim system information.", + "has also exfiltrated archived files to cloud services such as Dropbox using `curl`.", + "can upload results from executed C2 commands to cloud storage.", + "has utilized to exfiltrate data from victim environments to cloud storage.", + "has exfiltrated stolen data to the MEGA file sharing site. has also utilized to exfiltrate data from victim environments to cloud storage such as MegaSync. has exfiltrated data to their own infrastructure utilizing AzCopy Command-Line tool (CLI).", + "has exfiltrated stolen passwords to Dropbox.", + "has exfiltrated victim data to the MEGA file sharing site SnowFlake and AWS S3 buckets." ], "description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ", "similar_words": [ @@ -24381,7 +25187,13 @@ "spreads itself laterally by writing the JavaScript launcher file to mapped shared folders.", "transfered tools such as and the AnyDesk remote access tool during operations using SMB shares.", "has used the toolset to move and remotely execute payloads to other hosts in victim networks.", - "has used its `wmiexec` command leveraging Windows Management Instrumentation to remotely stage and execute payloads in victim networks." + "has used its `wmiexec` command leveraging Windows Management Instrumentation to remotely stage and execute payloads in victim networks.", + "has utilized legitimate software services such as PDQ Deploy to transfer malicious binaries and tools to other victimized hosts within the target environment.", + "has the ability to copy files from one location to another.", + "has utilzed Python scripts to transfer files between ESXi hosts and guest VMs.", + "is capable of file transfer and arbitrary command execution.", + "has file transfer capabilities.", + "During threat actors used to remotely stage and execute payloads via WMI." ], "description": "Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)", "similar_words": [ @@ -24458,7 +25270,10 @@ "variants check system language settings via keyboard layout or similar mechanisms.", "can determine system location based on the default language setting and will not execute on systems located in former Soviet countries.", "will not affect machines with language settings matching a defined exlusion list of mainly Eastern European languages.", - "identifies the language on the victim system." + "identifies the language on the victim system.", + "has checked supported languages on the compromised system.", + "can retrieve system default language and time zone.", + "has identified system language codes on a compromised host to determine if the victim falls under a non-supported language code that is prohibited for targeting including victims associated with Russia and other Commonwealth of Independent States (CIS) that may draw attention of law enforcement in countries where the ransomware operator or affiliates may reside/operate from." ], "description": "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgnging May 2018)On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.", "similar_words": [ @@ -24511,7 +25326,7 @@ "has reconfigured a victim's DNS records to actor-controlled domains and websites.", "modified Name Server (NS) items to refer to -controlled DNS servers to provide responses for all DNS lookups." ], - "description": "Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)", + "description": "Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Alternatively, they may be able to prove ownership of a domain to a SaaS service in order to assert control of the service or create a new administrative [Cloud Account](https://attack.mitre.org/techniques/T1136/003).(Citation: CyberCX SaaS Domain Hijacking 2025) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)", "similar_words": [ "DNS Server" ], @@ -24538,7 +25353,12 @@ "uses fake Transport Layer Security (TLS) to communicate with its C2 server.", "mimics HTTP protocol for C2 communication while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.", "can leverage the HTTP protocol for C2 communication while hiding the actual data in either an HTTP header URI parameter the transaction body or appending it to the URI.", - "leverages the HTTP protocol for C2 communication while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests." + "leverages the HTTP protocol for C2 communication while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.", + "has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. used FakeTLS to communicate with its C2 server.", + "has modified HTTP POST requests to resemble legitimate communications. PUBLOAD used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. has utilized FakeTLS headers with the bytes 17 03 03.", + "has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. has used FakeTLS to communicate with its C2 servers.", + "has modified HTTP POST requests to resemble legitimate communications.", + "used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. variants have utilized FakeTLS headers with the bytes `0x17 0x03 0x03` to represent TLSv1.2 and `0x17 0x03 0x04` for TLSv1.3." ], "description": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. Adversaries may also leverage legitimate protocols to impersonate expected web traffic or trusted services. For example, adversaries may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted data to disguise C2 communications or mimic legitimate services such as Gmail, Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation: Malleable-C2-U42)", "similar_words": [ @@ -24592,7 +25412,8 @@ "During threat actors used a compromised domain admin account to move laterally.", "compromised domain credentials during .", "has used an exfiltration tool named STEALHOOK to retreive valid domain credentials.", - "captured credentials for or impersonated domain administration users." + "captured credentials for or impersonated domain administration users.", + "During threat actors used compromised credentials for lateral movement." ], "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.", "similar_words": [ @@ -24671,7 +25492,11 @@ "can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US Canada Germany and South Korea.", "can determine the geographical location of a victim host by checking the language.", "collects the `Locale Name` of the infected device via `GetUserDefaultLocaleName` to determine whether the string `ru` is included but in analyzed samples no action is taken if present.", - "has obtained the victim's system current location." + "has obtained the victim's system current location.", + "has obtained the location of the victim device by leveraging `GetSystemDefaultLCID`.", + "has gathered detailed information about victims systems such as IP addresses and geolocation. has also checked the IP from where it was being executed and leveraged an opensource geolocation IP-lookup service.", + "has a function where the C2 endpoint can identify the geographical location of a victim host based on request headers execution environment and runtime conditions.", + "has collected the internal IP address IP geolocation information of the infected host and sends the data to a C2 server. has also leveraged the pay module to obtain region name country city zip code ISP latitude and longitude using http://ip-api.com/json." ], "description": "Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)", "similar_words": [ @@ -24713,7 +25538,10 @@ "creates a network listener using the misspelled label logincontroll recorded to the Registry key HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\NetworkProvider\\\\Order.", "impersonates help desk and IT support personnel for phishing and social engineering purposes during initial access to victim environments.", "has impersonated legitimate people in phishing emails to gain credentials.", - "has impersonated academic institutions and NGOs in order to gain information related to North Korea." + "has impersonated academic institutions and NGOs in order to gain information related to North Korea.", + "During threat actors impersonated IT support personnel in voice calls with victims at times claiming to be addressing enterprise-wide connectivity issues.", + "had impersonated HR hiring personnel through social media job board notifications and conducted interviews with victims in order to entice them to download malware disguised as legitimate applications or malicious scripts from code repositories.", + "utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens. has also used Microsoft Teams to pose as internal IT support or help desk personnel." ], "description": "Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversarys ultimate goals, possibly against multiple victims. In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657).Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as `payment`, `request`, or `urgent` to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversarys goal. Impersonation is typically preceded by reconnaissance techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589) and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591) as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001)) to substantiate their false identity.(Citation: CrowdStrike-BEC) There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)", "similar_words": [ @@ -24897,7 +25725,16 @@ "has detected antivirus processes using commands such as tasklist and findstr.", "checks for the presence of various security software products during execution.", "enumerated installed security products during operations.", - "looks for security software products prior to full execution." + "looks for security software products prior to full execution.", + "has identified AV products on an infected host using the following command: `WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`.", + "has identified drivers of AV solutions by searching for related filenames keywords and signed certificates.", + "has checked for the presence of ESET antivirus applications `ekrn.exe` and `egui.exe`.", + "has the capability to detect security solutions for termination or deletion within the victim device using hard-coded lists of strings containing security product executables.", + "has identified installed antivirus software on the system.", + "has used PowerShell scripts to identify security software on the victim machine.", + "has detected endpoint security solutions using `sc query sense` and `sc query windefend`.", + "has checked for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 classname antivirusproduct. has also obtained details on antivirus software through WMI queries using `Win32_OperatingSystem` and `SecurityCenter2.AntiVirusProduct`.", + "has detected security solutions for termination or deletion within the victim device using hard-coded lists of strings containing security product executables." ], "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents may collect metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.", "similar_words": [ @@ -24954,9 +25791,18 @@ "hides the Windows Console window created by its execution by directly importing the `kernel32.dll` and `user32.dll` libraries `GetConsoleWindow` and `ShowWindow` APIs.", "can execute command line arguments in a hidden window.", "can hide its console window upon execution through the `ShowWindow` API.", - "has utilized the .NET `ProcessStartInfo` class features to prevent the process from creating a visible window through setting the `CreateNoWindow` setting to True which allows the executed command or script to run without displaying a command prompt window." - ], - "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.Similarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019)The Windows Registry can also be edited to hide application windows from the current user. For example, by setting the `WindowPosition` subkey in the `HKEY_CURRENT_USER\\Console\\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe` Registry key to a maximum value, PowerShell windows will open off screen and be hidden.(Citation: Cantoris Computing)In addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.", + "has utilized the .NET `ProcessStartInfo` class features to prevent the process from creating a visible window through setting the `CreateNoWindow` setting to True which allows the executed command or script to run without displaying a command prompt window.", + "has used .txt files to conceal PowerShell commands.", + "has utilized the `ShowWindow` API function to hide the current window.", + "has created a hidden window when conducting key logging and clipboard theft through its KBLogger.dll module.", + "has utilized the `ShowWindow` function to hide current window.", + "has used hidcon to run batch files in a hidden console window. has also executed PowerShell in a hidden window.", + "has executed Python instances of the browser module .n2/bow utilizing the `CREATE_NO_WINDOW` process creation flag.", + "has used an information gathering module that will hide an AV software window from the victim. has also been known to use `-WindowStyle Hidden` to conceal PowerShell windows.", + "has the ability to execute a command on a hidden desktop.", + "has created a new window with a height and width of zero to remain hidden on the screen." + ], + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.Similarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019)The Windows Registry can also be edited to hide application windows from the current user. For example, by setting the `WindowPosition` subkey in the `HKEY_CURRENT_USER\\Console\\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe` Registry key to a maximum value, PowerShell windows will open off screen and be hidden.(Citation: Cantoris Computing)In addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.Adversaries may also leverage cmd.exe(Citation: Cybereason - Hidden Malicious Remote Access) as a parent process, and then utilize a LOLBin, such as DeviceCredentialDeployment.exe,(Citation: LOLBAS Project GitHub Device Cred Dep)(Citation: SecureList BlueNoroff Device Cred Dev) to hide windows.", "similar_words": [ "Hidden Window" ], @@ -25010,7 +25856,15 @@ "is a Python-based web shell.", "During threat actors used the Python `pty` module to open reverse shells.", "is a Python-based application.", - "has used malicious Python scripts to execute payloads." + "has used malicious Python scripts to execute payloads.", + "is a Python-based backdoor malware.", + "During threat actors used custom applications developed in python.", + "has used Python scripts (ps2x.py script and ps2p.py) to execute files on remote hosts using the library.", + "can call a Python script to run commands on a targeted guest virtual machine.", + "has used Python scripts to enumerate ESXi hosts and guest VMs.", + "can use Python scripts for command execution.", + "has used the Python-based malware such as to install and execute Python Packages and Python modules.", + "is written in Python and has used Python scripts for execution." ], "description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.", "similar_words": [ @@ -25024,7 +25878,8 @@ "has gathered detailed knowledge of team structures within a target organization.", "During targeted specific individuals within an organization with tailored job vacancy announcements.", "has identified executives HR and IT staff at victim organizations for further targeting.", - "has identified key network and IT staff members pre-compromise at targeted organizations." + "has identified key network and IT staff members pre-compromise at targeted organizations.", + "has identified IT staff and employees who had higher levels of administrative rights." ], "description": "Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", "similar_words": [ @@ -25067,7 +25922,9 @@ "has created KeyBase accounts to communicate with ransomware victims.", "has created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate has created biographical sections and posted in forum threads.", "has created accounts on dark web forums to obtain various tools and malware.", - "has leveraged stolen PII to create accounts." + "has leveraged stolen PII to create accounts.", + "has created and maintained personas on code repositories to distribute malicious payloads.", + "During threat actors created Salesforce trial accounts to register their malicious applications." ], "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) In addition, establishing accounts may allow adversaries to abuse free services, such as registering for trial periods to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for malicious purposes.(Citation: Free Trial PurpleUrchin)", "similar_words": [ @@ -25098,7 +25955,8 @@ "attack-pattern--ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae": { "name": "Conditional Access Policies", "example_uses": [ - "has added additional trusted locations to Azure AD conditional access policies." + "has added additional trusted locations to Azure AD conditional access policies.", + "has registered their own MFA method and leveraged a victim hybrid joined server to circumvent Conditional Access Policies." ], "description": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.For example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required. By modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.", "similar_words": [ @@ -25111,7 +25969,8 @@ "example_uses": [ "During used access to the victim's Azure tenant to create Azure VMs.", "has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.", - "During used access to the victim's Azure tenant to create Azure VMs. has also created Amazon EC2 instances within the victim's environment." + "During used access to the victim's Azure tenant to create Azure VMs. has also created Amazon EC2 instances within the victim's environment.", + "has created Amazon EC2 instances within the victim's environment." ], "description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.", "similar_words": [ @@ -25123,7 +25982,8 @@ "name": "Cloud Secrets Management Stores", "example_uses": [ "can retrieve secrets from the AWS Secrets Manager via the enum_secrets module.", - "has moved laterally from on-premises environments to steal passwords from Azure key vaults." + "has moved laterally from on-premises environments to steal passwords from Azure key vaults.", + "has utilized Azure Key Vault to store the encryption key using the operation `Microsoft.KeyVault/Vaults/write`." ], "description": "Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables. If an adversary is able to gain sufficient privileges in a cloud environment for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets they may be able to request secrets from the secrets manager. This can be accomplished via commands such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)**Note:** this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.", "similar_words": [ @@ -25192,7 +26052,9 @@ "The trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.", "can use launch agents for persistence.", "uses a Launch Agent to persist.", - "can achieve persistence by creating launch agents to repeatedly execute malicious payloads." + "can achieve persistence by creating launch agents to repeatedly execute malicious payloads.", + "has established persistence using malware to create file to run the script on Startup via LaunchAgents. has also utilized a plist file located in `/Library/LaunchAgents` to enable a malicious bash script the ability to persist.", + "has established persistence using LaunchAgents on macOS that run on Startup using a file named com.avatar.update.wake.plist." ], "description": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks. Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command. Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) ", "similar_words": [ @@ -25578,7 +26440,18 @@ "has the ability to execute shell commands and exfiltrate the results.", "has included BAT files in some instances for installation.", "can execute various `cmd.exe /c %s` commands.", - "uses a malicious Windows Batch script to run the Windows code utility to retrieve follow-on script payloads. has also used `cmd.exe` to create a remote shell." + "uses a malicious Windows Batch script to run the Windows code utility to retrieve follow-on script payloads. has also used `cmd.exe` to create a remote shell.", + "has utilized VBS scripts to open cmd.exe and run commands to include the go_batch.bat batch file.", + "has executed HTA files via cmd.exe and used batch scripts for collection. has also utilized cmd.exe to execute commands on an infected host such as `cmd.exe /c ping.exe 8.8.8.8 -n 70&&%temp%\\FontEDL.exe`.", + "has used several commands executed in sequence via `cmd`.", + "has utilized a BAT script to disable security solutions.", + "has executed Windows commands on guest virtual machines through `vmtoolsd.exe`.", + "During threat actors utilized `cmd.exe` and batch scripts within the victim environment.", + "has used `cmd.exe` to execute command on an infected host.", + "has used Windows Command Prompt to control and execute commands on the system to include ingress network and filesystem enumeration activities.", + "used the command prompt to launch commands on the victims machine. Additionally has used cmd.exe to open the Run dialog by sending the Windows + R keys through malicious USBs acting as virtual keyboards.", + "has executed windows using `ErrorHandler.cmd` to create scheduled tasks.", + "has created a reverse shell using `cmd.exe`." ], "description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.", "similar_words": [ @@ -25599,7 +26472,9 @@ }, "attack-pattern--d21bb61f-08ad-4dc1-b001-81ca6cb79954": { "name": "Acquire Access", - "example_uses": [], + "example_uses": [ + "has purchased user credentials and other sensitive data from Initial Access Brokers (IABs)." + ], "description": "Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022)Footholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., [Web Shell](https://attack.mitre.org/techniques/T1505/003)) or established access via [External Remote Services](https://attack.mitre.org/techniques/T1133). In some cases, access brokers will implant compromised systems with a load that can be used to install additional malware for paying customers.(Citation: Microsoft Ransomware as a Service)By leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)In some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a [Trusted Relationship](https://attack.mitre.org/techniques/T1199), [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111), or even [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195).**Note:** while this technique is distinct from other behaviors such as [Purchase Technical Data](https://attack.mitre.org/techniques/T1597/002) and [Credentials](https://attack.mitre.org/techniques/T1589/001), they may often be used in conjunction (especially where the acquired foothold requires [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", "similar_words": [ "Acquire Access" @@ -25646,7 +26521,9 @@ "has the ability to remove Registry entries that it created for persistence.", "can delete various service traces related to persistent execution when commanded.", "uses a RunOnce Registry key for persistence where the key is removed after its use on reboot then re-added by the malware after it resumes execution.", - "will clear registry values used for persistent configuration storage when uninstalled." + "will clear registry values used for persistent configuration storage when uninstalled.", + "has deleted registry keys that store data and maintained persistence.", + "has deleted its malicious payload and removed its own created service to avoid leaving traces of its presence on victim devices." ], "description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)In some instances, artifacts of persistence may also be removed once an adversarys persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)", "similar_words": [ @@ -25703,7 +26580,9 @@ "can encode C2 communications with a base64 algorithm using a custom alphabet.", "can use a modified Base64 encoding mechanism to send data to and from the C2 server.", "can use a custom Base64 alphabet for encoding C2.", - "can use modified Base64 encoding to obfuscate communications." + "can use modified Base64 encoding to obfuscate communications.", + "has encoded a payload with a random 32-byte key using XOR. has also encoded payloads with a 256-byte key using XOR.", + "has used a complex XOR operation to obfuscate C2 communications." ], "description": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) ", "similar_words": [ @@ -25727,7 +26606,8 @@ "name": "Transfer Data to Cloud Account", "example_uses": [ "has used Megasync to exfiltrate data to the cloud.", - "has used cloud storage to exfiltrate data in particular the megatools utilities were used to exfiltrate data to Mega a file storage service." + "has used cloud storage to exfiltrate data in particular the megatools utilities were used to exfiltrate data to Mega a file storage service.", + "has copied data from the victims environment to their own infrastructure leveraging AzCopy CLI." ], "description": "Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.(Citation: TLDRSec AWS Attacks)Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.(Citation: Microsoft Azure Storage Shared Access Signature)Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) ", "similar_words": [ @@ -25819,7 +26699,13 @@ "has obfuscated malicious scripts to help avoid detection.", "used Base64 to obfuscate executed commands.", "has used pyobfuscate zlib compression and base64 encoding for obfuscation. has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.", - "has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts." + "has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts.", + "has encoded malicious PowerShell scripts using Base64.", + "has obfuscated PowerShell scripts with Base64 encoding. has also obfuscated the code of dropped kernel drivers using a software known as Safengine Shielden which randomized the code through code mutations and then leveraged an embedded virtual machine interpreter to execute the code.", + "During threat actors executed Base64-encoded PowerShell commands.", + "has obfuscated JavaScript code using Base64 and variable substitutions.", + "has obfuscated scripts within text files used in execution.", + "has obfuscated strings using ASCII buffers and TextDecoder." ], "description": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`Wor+d.Application`), order and casing of characters (`rev <<<'dwssap/cte/ tac'`), globing (`mkdir -p '/tmp/:&$NiA'`), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\\voi\\pcw\\..\\..\\Windows\\tei\\qs\\k\\..\\..\\..\\system32\\erool\\..\\wbem\\wg\\je\\..\\..\\wmic.exe shadowcopy delete`).(Citation: Twitter Richard WMIC)Tools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)", "similar_words": [ @@ -26116,7 +27002,18 @@ "removes its initial ZIP delivery archive after processing the enclosed LUA script.", "can delete itself depending on various checks performed during execution.", "includes a self-delete function where the malware deletes itself from disk after execution and program load into memory.", - "deletes its original executable and terminates its original process after creating a systemd service." + "deletes its original executable and terminates its original process after creating a systemd service.", + "has deleted the exfiltrated data on disk after transmission. has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk. has deleted files using the `Remove-Item` PowerShell commandlet to remove traces of executed payloads.", + "has deleted payload files received from the C2 server.", + "has the ability to delete itself after execution. also has the ability to delete itself after execution through the command `cmd /c ping localhost -n 3 > nul & del`.", + "has configured malware to remove archives used in collection activities following successful exfiltration.", + "has used the the esxcli command line to remove files created by malicious vSphere Installation Bundles from disk.", + "has deleted previously installed tools.", + "has the remove itself and other artifacts.", + "has leveraged MDeployer to terminate the MS4Killer process delete the decrypted payload files and a driver file dropped by MS4killer and reboot the system.", + "has deleted files from a compromised host after they were exfiltrated.", + "can delete itself from infected hosts after execution.", + "During used malware capaple of removing scripts after execution." ], "description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows, rm or unlink on Linux and macOS, and `rm` on ESXi.", "similar_words": [ @@ -26140,7 +27037,8 @@ "attack-pattern--da051493-ae9c-4b1b-9760-c009c46c9b56": { "name": "Installer Packages", "example_uses": [ - "During 's installation process it uses `postinstall` scripts to extract a hidden plist from the application's `/Resources` folder and execute the `plist` file as a with elevated permissions." + "During 's installation process it uses `postinstall` scripts to extract a hidden plist from the application's `/Resources` folder and execute the `plist` file as a with elevated permissions.", + "During the added a malicious .dylib file to a .dmg installer package for the macOS 3CX application." ], "description": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed.For Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. These installation routines may also include instructions to perform additional actions that may be abused by adversaries.(Citation: Microsoft Installation Procedures)", "similar_words": [ @@ -26168,9 +27066,10 @@ "can add init.d and rc.d files in the /etc folder to establish persistence.", "has the ability to execute on device startup using a modified RC script named S51armled.", "adds an entry to the rc.common file for persistence.", - "used a modified `/etc/rc.local` file on compromised F5 BIG-IP devices to maintain persistence." + "used a modified `/etc/rc.local` file on compromised F5 BIG-IP devices to maintain persistence.", + "has placed a bash installation script into `/etc/rc.local.d/` to establish persistence." ], - "description": "Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like systems startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.Adversaries may establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.(Citation: intezer-kaiji-malware) As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging `/etc/rc.local.d/local.sh` is one of the few mechanisms for enabling persistence across reboots.(Citation: Juniper Networks ESXi Backdoor 2022)Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004).(Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)", + "description": "Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like systems startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.Adversaries may establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.(Citation: intezer-kaiji-malware) As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging `/etc/rc.local.d/local.sh` is one of the few mechanisms for enabling persistence across reboots.(Citation: Juniper Networks ESXi Backdoor 2022)Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd.(Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)", "similar_words": [ "RC Scripts" ], @@ -26277,7 +27176,11 @@ "can use code packing to hinder analysis.", "variants have used packers to obfuscate payloads and make analysis more difficult.", "has used VMProtect to pack and obscure itself.", - "uses various packers including CyaX to obfuscate malicious executables." + "uses various packers including CyaX to obfuscate malicious executables.", + "During threat actors UPX-packed malicous payloads including 4L4MD4R ransomware.", + "has used obfuscation tools such as DNGuard and Boxed App to pack their code.", + "has packed the code of dropped kernel drivers using the packer ASM Guard.", + "has used Themida to pack payloads." ], "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing) ", "similar_words": [ @@ -26685,7 +27588,22 @@ "has used HTTP and HTTP for command and control communication.", "can use HTTP to exfiltrate files to actor-controlled infrastructure.", "connected over TCP using HTTP to establish command and control channels.", - "uses HTTP POST requests to communicate victim information back to the threat actor." + "uses HTTP POST requests to communicate victim information back to the threat actor.", + "has used HTTP GET request to download malicious payloads to include and HTTP POST to exfiltrate data to C2 infrastructure.", + "can use HTTP POST requests in C2 communications.", + "During threat actors issued HTTP `POST` requests to web shells with spoofed or empty Referrer headers to circumvent authorization controls.", + "can communicate to C2 nodes over HTTP.", + "can use HTTP/S listeners to establish and maintain C2 communications.", + "has used the same User Agents of Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko and Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/80.0.3987.149 Safari/537.36 combined with a reference to the Microsoft Azure PowerShell Application ID 1950a258-227b-4e31-a9cf-717495945fc2 in their sign-in attempts.", + "has communicated through reverse or bind shells over port 443 (HTTPS).", + "can be configured to use HTTP for command and control. has also used HTTPS for C2.", + "has utilized HTTP for a C2 protocol through HTTP POST. has also utilized HTTPS for C2.", + "has utilized HTTP for C2 communications. has also conducted C2 communications to hardcoded C2 servers over HTTPS. has leveraged SOAP protocol for C2 communications.", + "has used HTTP and HTTPS POST requests to communicate with C2.", + "During the 's COLDCAT C2 leverages cookie headers to contain data over HTTPS. Cookies also contain hardcoded variables `__tutma` or `__tutmc` in the payload's HTTPS request.", + "has used HTTPS POST to communicate with C2.", + "has communicated via `curl` over HTTP to identify device IP data. has also utilized HTTP for a command-and-control protocol through HTTP POST. has also leveraged HTTPS for C2.", + "can use HTTP `GET` and `PUT` to upload and download files." ], "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "similar_words": [ @@ -26821,7 +27739,10 @@ "has used a VBScript to query anti-virus products.", "can execute additional VisualBasic content.", "During used VBS droppers to deliver and establish persistence for the backdoor.", - "During used VBS droppers to deploy malware." + "During used VBS droppers to deploy malware.", + "has embedded VBScript components in LNK files to download additional files and automate collection. has also used VBA macros in maldocs to execute malicious DLLs. also utilized a VBS Script autorun.vbs that created persistence through saving the VBS Script in the startup directory which would cause it to run each time the machine was turned on.", + "has embedded malicious macros in document templates which executed VBScript. has also delivered Microsoft Outlook VBA projects with embedded macros. Additionally has executed VBScript files using wscript.exe.", + "has utilized Visual Basic scripts in the execution of their downloader malware targeting Windows devices including as script called update.vbs." ], "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking )", "similar_words": [ @@ -26857,7 +27778,9 @@ "has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.", "has installed a systemd service script to maintain persistence.", "has started a monero service.", - "creates a systemd service named `syslogd` for persistence." + "creates a systemd service named `syslogd` for persistence.", + "can create a systemd service file for execution.", + "has run `SYSTEMD_UNIT_PATH=/lib/systemd/system/teleport.service` to establish persistence for the Teleport remote access tool." ], "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) * `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.* `ExecReload` directive executes when a service restarts. * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. Adversaries have created new service files, altered the commands a `.service` files directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) The `.service` files User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions. Systemd services can be created via systemd generators, which support the dynamic generation of unit files. Systemd generators are small executables that run during boot or configuration reloads to dynamically create or modify systemd unit files by converting non-native configurations into services, symlinks, or drop-ins (i.e., [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037)).(Citation: Elastic Security Labs Linux Persistence 2024)(Citation: Pepe Berba Systemd 2022)", "similar_words": [ @@ -26884,7 +27807,9 @@ "can use an XDG Autostart to establish persistence.", "can use an XDG Autostart to establish persistence.", "When executing with user-level permissions can install persistence using a .desktop file under the `$HOME/.config/autostart/` folder.", - "If executing without root privileges adds a `.desktop` configuration file to the user's `~/.config/autostart` directory." + "If executing without root privileges adds a `.desktop` configuration file to the user's `~/.config/autostart` directory.", + "has established persistence using malware to create a .desktop entry to run on startup on GNOME-based Linux devices.", + "has established persistence within GNOME-based Linux environments by placing entries within `.desktop` that run on Startup." ], "description": "Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a users desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the users desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the users desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory.Adversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)", "similar_words": [ @@ -26923,7 +27848,8 @@ "example_uses": [ "can enumerate information about a variety of cloud services such as Office 365 and Sharepoint instances or OpenID Configurations.", "can enumerate Azure AD applications and service principals.", - "can enumerate AWS services such as CloudTrail and CloudWatch." + "can enumerate AWS services such as CloudTrail and CloudWatch.", + "has discovered the victim environments protections to include Azure policies resource locks and Azure Storage immutability policies." ], "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).", "similar_words": [ @@ -26993,7 +27919,10 @@ "is capable of identifying running software on victim machines.", "variants use COM objects to enumerate installed applications from the AppsFolder on victim machines.", "During used browser data dumper tools to create a list of users with Google Chrome installed.", - "If sent the command `16001` uses the `NSFileManger contentsOfDirectoryAtPath()` to enumerate the Applications folder to collect the bundle name bundle identifier and version information from each application's `info.plist` file. The results are then converted into a JSON blob for exfiltration." + "If sent the command `16001` uses the `NSFileManger contentsOfDirectoryAtPath()` to enumerate the Applications folder to collect the bundle name bundle identifier and version information from each application's `info.plist` file. The results are then converted into a JSON blob for exfiltration.", + "has gathered installed programs and running processes.", + "has used several commands executed in sequence via `cmd` in a short interval to gather software versions including querying Registry keys.", + "can get a list of programs on the victim device." ], "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Such software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally.Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).", "similar_words": [ @@ -27015,7 +27944,8 @@ "attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744": { "name": "Thread Local Storage", "example_uses": [ - "has injected code into target processes via thread local storage callbacks." + "has injected code into target processes via thread local storage callbacks.", + "uses the Thread Local Storage (TLS) array data structure to store function addresses resolved by its custom API hashing algorithm. The function addresses are later called throughout the binary from offsets into the TLS array." ], "description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process. ", "similar_words": [ @@ -27044,7 +27974,11 @@ "can detect it is being run in the context of a debugger.", "variants include functionality to identify and evade debuggers.", "uses anti-debugging mechanisms such as calling `NtQueryInformationProcess` with `InfoClass=7` referencing `ProcessDebugPort` to determine if it is being analyzed.", - "can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis." + "can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis.", + "has made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger.", + "has embedded debug strings with messages to distract analysts. has leveraged `OutputDebugStringW` and `OutputDebugStringA` functions.", + "has embedded debug strings with messages to distract analysts. has also made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger.", + "has leveraged custom exception handlers to hide code flow and stop execution of a debugger." ], "description": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.Specific checks will vary based on the target and/or adversary. On Windows, this may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). On Linux, this may involve querying `/proc/self/status` for the `TracerPID` field, which indicates whether or not the process is being traced by dynamic analysis tools.(Citation: Cado Security P2PInfect 2023)(Citation: Positive Technologies Hellhounds 2023) Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would swallow or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)Malware may also leverage Structured Exception Handling (SEH) to detect debuggers by throwing an exception and detecting whether the process is suspended. SEH handles both hardware and software expectations, providing control over the exceptions including support for debugging. If a debugger is present, the programs control will be transferred to the debugger, and the execution of the code will be suspended. If the debugger is not present, control will be transferred to the SEH handler, which will automatically handle the exception and allow the programs execution to continue.(Citation: Apriorit)Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)", "similar_words": [ @@ -27224,7 +28158,8 @@ "During threat actors used tools with legitimate code signing certificates.", "used stolen code signing certificates to sign malware and components.", "has obtained stolen code signing certificates to digitally sign malware.", - "has stolen a valid certificate that is used to sign the malware and the dropper." + "has stolen a valid certificate that is used to sign the malware and the dropper.", + "has used revoked code signing certificates for its malicious payloads." ], "description": "Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.", "similar_words": [ @@ -27289,7 +28224,12 @@ "can encrypt API name strings with an XOR-based algorithm.", "can resolve Windows APIs dynamically by hash.", "dynamically links key WinApi functions during execution.", - "can use `LoadLibrary` and `GetProcAddress` to resolve Windows API function strings at run time." + "can use `LoadLibrary` and `GetProcAddress` to resolve Windows API function strings at run time.", + "has leveraged obfuscated Windows API function calls that were concealed as unique names or hashes of the Windows API.", + "has leveraged hashed Windows API calls using a seed value of 131313.", + "has utilized a modified DJB2 algorithm to resolve APIs.", + "has utilized custom API hashing to obfuscate the Windows APIs being used.", + "has utilized XOR-encrypted API names and native APIs of `LdrLoadDll()` and `LderGetProcedureAddress()` to resolve imports dynamically." ], "description": "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)", "similar_words": [ @@ -27355,7 +28295,9 @@ "used RDP for lateral movement. used NATBypass to expose local RDP ports on compromised systems to the Internet.", "has used RDP to access other hosts within victim networks.", "can be used to tunnel RDP connections.", - "During used RDP for lateral movement." + "During used RDP for lateral movement.", + "has used RDP to enable lateral movement.", + "has used RDP to conduct lateral movement and exfiltrate data. has also utilized the Windows executable `mstsc.exe` for RDP activities through the command `mstsc.exe /v:{hostname/ip}`." ], "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)", "similar_words": [ @@ -27398,9 +28340,10 @@ "uses compromised residential endpoints typically within the same ISP IP address range as proxies to hide the true source of C2 traffic.", "has utilized an ORB (operational relay box) network consisting compromised devices such as small office and home office (SOHO) routers IoT devices and leased virtual private servers (VPS) to obfuscate the origin of C2 traffic.", "can use a chain of jump hosts to communicate with compromised devices to obscure actor infrastructure.", - "attempts to retrieve a non-existent webpage from the command and control server resulting in hidden commands sent via resulting error messages." + "attempts to retrieve a non-existent webpage from the command and control server resulting in hidden commands sent via resulting error messages.", + "has rotated the compromised SOHO IPs used in password spraying activity to hamper detection and network blocking activities by defenders." ], - "description": "Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,(Citation: TA571) masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,(Citation: Schema-abuse)(Citation: Facad1ng)(Citation: Browser-updates) and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.C2 networks may include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.(Citation: sysdig)(Citation: Orange Residential Proxies)Adversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.(Citation: mod_rewrite)(Citation: SocGholish-update) Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)).(Citation: TA571)(Citation: mod_rewrite)Hiding C2 infrastructure may also be supported by [Resource Development](https://attack.mitre.org/tactics/TA0042) activities such as [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) and [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584). For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.(Citation: StarBlizzard)(Citation: QR-cofense)", + "description": "Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished by identifying and filtering traffic from defensive tools,(Citation: TA571) masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,(Citation: Schema-abuse)(Citation: Facad1ng)(Citation: Browser-updates) and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.C2 networks may include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.(Citation: sysdig)(Citation: Orange Residential Proxies)Adversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.(Citation: mod_rewrite)(Citation: SocGholish-update) Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)).(Citation: TA571)(Citation: mod_rewrite)Hiding C2 infrastructure may also be supported by [Resource Development](https://attack.mitre.org/tactics/TA0042) activities such as [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) and [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584). For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.(Citation: StarBlizzard)(Citation: QR-cofense)", "similar_words": [ "Hide Infrastructure" ], @@ -27477,9 +28420,15 @@ "uses +h to make some of its files hidden.", "stored encrypted payloads associated with installation in hidden directories during .", "can be used to make files or directories hidden.", - "initial installation involves dropping several files to a hidden directory named after the victim machine name. Additionally uses to hide a directory in the following command: ` C:\\Windows\\system32\\attrib.exe +h C:/rjtu/`." + "initial installation involves dropping several files to a hidden directory named after the victim machine name. Additionally uses to hide a directory in the following command: ` C:\\Windows\\system32\\attrib.exe +h C:/rjtu/`.", + "can modify the characteristics of folders to hide them from the compromised user. has also modified file attributes to hidden and system.", + "variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data. has also modified file attributes to `hidden` and `system`.", + "has the ability to communicate with the kernel-mode component to hide files.", + "has used `attrib +h C:\\ProgramData\\ssh` to make the SSH folder hidden.", + "has modified file attributes to remain hidden to a standard user.", + "has modified registry keys to ensure hidden files and extensions are not visible through the modification of `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced`." ], - "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. These files dont show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls a for Linux and macOS).On Linux and Mac, users can mark specific files as hidden simply by putting a . as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ., are by default hidden from being viewed in the Finder application and standard command-line utilities like ls. Users must specifically change settings to have these files viewable.Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesnt clutter up the users workspace. For example, SSH utilities create a .ssh folder thats hidden and contains the users known hosts and keys.Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.", + "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. These files dont show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls a for Linux and macOS).On Linux and Mac, users can mark specific files as hidden simply by putting a . as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ., are by default hidden from being viewed in the Finder application and standard command-line utilities like ls. Users must specifically change settings to have these files viewable.Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesnt clutter up the users workspace. For example, SSH utilities create a .ssh folder thats hidden and contains the users known hosts and keys.Additionally, adversaries may name files in a manner that would allow the file to be hidden such as naming a file only a space character.Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.", "similar_words": [ "Hidden Files and Directories" ], @@ -27522,7 +28471,8 @@ "name": "Develop Capabilities", "example_uses": [ "created and used a mailing toolkit to use in spearphishing attacks.", - "developed malicious npm packages for delivery to or retrieval by victims." + "developed malicious npm packages for delivery to or retrieval by victims.", + "developed malicious NPM packages for delivery to or retrieval by victims." ], "description": "Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.", "similar_words": [ @@ -27555,7 +28505,8 @@ "has stolen copies of the Active Directory database (NTDS.DIT).", "has used Windows built-in tool `ntdsutil` to extract the Active Directory (AD) database.", "During dumped NTDS.dit through creating volume shadow copies via vssadmin.", - "During threat actors obtained active directory credentials via the NTDS.DIT file." + "During threat actors obtained active directory credentials via the NTDS.DIT file.", + "has accessed the ntds.dit file to engage in credential dumping." ], "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.* Volume Shadow Copy* secretsdump.py* Using the in-built Windows tool, ntdsutil.exe* Invoke-NinjaCopy", "similar_words": [ @@ -27680,7 +28631,10 @@ "has lured users into executing malicious JavaScript files by sending malicious links via email.", "has mimicked legitimate government-related domains to deliver malicious webpages containing links to documents or other content for user execution.", "has used links to execute a malicious Visual Basic script.", - "distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during ." + "distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during .", + "has sent malicious links including links directing victims to a Google Drive folder. has also utilized webpages with Javascript code that downloads malicious payloads to the victim device.", + "has been executed by luring victims into clicking links in spearphishing emails.", + "has lured victims to click on a malicious link that led to download of a malicious payload. has also leveraged links to malicious payloads on social media and code repositories." ], "description": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).", "similar_words": [ @@ -27784,7 +28738,11 @@ "can use to execute commands and payloads.", "executed and installed as a Windows service.", "created malicious services for ransomware execution.", - "executes as a service when deployed." + "executes as a service when deployed.", + "has started the SSH service by executing `sc start sshd`.", + "has utilized to execute scripts and commands within victim environments. has also used the Windows service RoboCopy to search and copy data for exfiltration.", + "During threat actors leveraged for command execution and used `services.exe` to disable Microsoft Defender via Registry keys.", + "has created a service named irnagentd that executed the MDeployer loader after the system is rebooted in Safe Mode." ], "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.", "similar_words": [ @@ -27806,7 +28764,9 @@ "has used compromised Office 365 accounts in tandem with in an attempt to gain control of endpoints.", "has used compromised credentials to access cloud assets within a target organization.", "has used compromised credentials to sign into victims Microsoft 365 accounts.", - "has abused service principals in compromised environments to enable data exfiltration." + "has abused service principals in compromised environments to enable data exfiltration.", + "has leveraged compromised accounts to access Microsoft Entra Connect which was used to synchronize on-premises identities and Microsoft Entra identities allowing users to sign into both environments with the same password. has also used the victim Global Administrator account that lacked any registered MFA method to access victim cloud environments. has leveraged Storage Account Access Keys within the victim environment.", + "has used compromised Microsoft Entra ID accounts to pivot in victim environments." ], "description": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined devices.An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. For example, in Azure environments, adversaries may target Azure Managed Identities, which allow associated Azure resources to request access tokens. By compromising a resource with an attached Managed Identity, such as an Azure VM, adversaries may be able to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s to move laterally across the cloud environment.(Citation: SpecterOps Managed Identity 2022)", "similar_words": [ @@ -27824,7 +28784,9 @@ "can use Data Protection API to encrypt its components on the victims computer to evade detection and to make sure the payload can only be decrypted and loaded on one specific compromised computer.", "can use the volume serial number from a target host to generate a unique XOR key for the next stage payload.", "The dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key.", - "stops execution if the infected system language matches one of several languages with various versions referencing: Georgian Kazakh Uzbek Tajik Russian Ukrainian Belarussian and Slovenian." + "stops execution if the infected system language matches one of several languages with various versions referencing: Georgian Kazakh Uzbek Tajik Russian Ukrainian Belarussian and Slovenian.", + "has generated unique GUIDs to identify victim devices. has leveraged environmental keying in payload delivery using the victim computer name and other configuration values. has also tracked IDs associated with reverse shell subprocesses to manage interactions and terminations from C2.", + "has utilized environmental keying in the payload to include the victim volume serial number computer name username and machines tick count." ], "description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.", "similar_words": [ @@ -27888,7 +28850,9 @@ "During performed domain replication.", "During threat actors used 's DCSync to dump credentials from the memory of the targeted system.", "has used DCSync attacks to gather credentials for privilege escalation routines.", - "During the used privileged accounts to replicate directory service data with domain controllers." + "During the used privileged accounts to replicate directory service data with domain controllers.", + "has leveraged DCSync feature to obtain user credentials.", + "has utilized DCSync to extract credentials from victims." ], "description": "Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)DCSync functionality has been included in the \"lsadump\" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)", "similar_words": [ @@ -27977,7 +28941,10 @@ "injects DLL files into iexplore.exe.", "has injected malicious DLLs into memory with read write and execute permissions.", "has injected a DLL into svchost.exe.", - "is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory." + "is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.", + "can inject pwndll.dll a patched DLL from the legitimate DLL WICloader.dll into svchost.exe for continuous execution.", + "has used DLL injection to execute payloads received from the C2 server.", + "has DLL spawn and injection modules." ], "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ", "similar_words": [ @@ -28062,7 +29029,8 @@ "has used social media platforms including LinkedIn and Twitter to send spearphishing messages.", "used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.", "has used social media services to spear phish victims to deliver trojainized software.", - "has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support personnel." + "has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support personnel.", + "has used fake job advertisements and messages sent via social media to spearphish targets. has also leveraged hiring websites to solicit victims." ], "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: Lookout Dark Caracal Jan 2018) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", "similar_words": [ @@ -28103,7 +29071,8 @@ "has used publicly available tools such as the Venom proxy tool to proxy traffic out of victim environments.", "has a built-in SOCKS5 proxying capability allowing for clients to proxy network traffic through other clients within a victim network.", "can start a reverse proxy to initiate connections to arbitrary endpoints in victim networks.", - "During used the built-in netsh portproxy command to create internal proxies on compromised systems." + "During used the built-in netsh portproxy command to create internal proxies on compromised systems.", + "has proxied traffic between infected devices and their C2 servers." ], "description": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.", "similar_words": [ @@ -28134,7 +29103,9 @@ "can read C2 information from Google Documents and YouTube.", "can obtain a webpage hosted on Pastebin to update its C2 domain list.", "has used a dead drop resolver to retrieve configurations and commands from a public blog site.", - "has used and a dead drop resolver to retrieve configurations and commands from a public blog site." + "has used and a dead drop resolver to retrieve configurations and commands from a public blog site.", + "During the leveraged a GitHub repository to host icon files containing the command and control URL.", + "has the ability to retrieve a C2 address from a dead drop URL." ], "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", "similar_words": [ @@ -28160,7 +29131,8 @@ "can pad C2 messages with random generated values.", "added junk data to each encoded string preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a junk length value when created tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.", "can use junk data in the Base64 string for additional obfuscation.", - "retrieves a non-existent webpage from the command and control server then parses commands from the resulting error logs to decode commands to the web shell." + "retrieves a non-existent webpage from the command and control server then parses commands from the resulting error logs to decode commands to the web shell.", + "has added junk data or a dummy character prepended to a string to hamper decoding attempts." ], "description": "Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. ", "similar_words": [ @@ -28295,7 +29267,10 @@ "exfiltrates files over FTP.", "can exfiltrate data over FTP or HTTP including HTTP via WebDAV.", "has exfiltrated configuration files from exploited network devices over FTP and TFTP.", - "has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over DNS." + "has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over DNS.", + "has used FTP to exfiltrate archive files.", + "has leveraged `curl` for data exfiltration over FTP by uploading RAR archives containing targeted files (.doc .docx .xls .xlsx .pdf .ppt .pptx) to an adversary-owned FTP site.", + "has used FTP to exfiltrate files and directories using the command `ssh_upload` which contains with six subcommands of `.sdira` `sdir` `sfile` `sfinda` `sfindr` and `sfind` that had varying functions. has exfiltrated stolen files and data to the C2 servers over ports 1224 2245 and 8637." ], "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ", "similar_words": [ @@ -28380,9 +29355,11 @@ "can initiate a system reboot or shutdown.", "can restart the victim system if it encounters an error during execution and will forcibly shutdown the system following encryption to lock out victim users.", "has used the `shutdown`command to shut down and/or restart the victim system.", - "has used `ShellExecuteA` to shut down and restart the victim system." + "has used `ShellExecuteA` to shut down and restart the victim system.", + "can initiate a reboot of the backup server to hinder recovery.", + "has manually turned off and encrypted virtual machines." ], - "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) They may also include shutdown/reboot of a virtual machine via hypervisor / cloud consoles or command line tools.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)", + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) They may also include shutdown/reboot of a virtual machine via hypervisor / cloud consoles or command line tools.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.Adversaries may also use Windows API functions, such as `InitializeSystemShutdownExW` or `ExitWindowsEx`, to force a system to shut down or reboot.(Citation: CrowdStrike Blog)(Citation: Unit42 Agrius 2023) Alternatively, the `NtRaiseHardError`or `ZwRaiseHardError` Windows API functions with the `ResponseOption` parameter set to `OptionShutdownSystem` may deliver a blue screen of death (BSOD) to a system.(Citation: SonicWall)(Citation: NtRaiseHardError)(Citation: NotMe-BSOD) In order to leverage these API functions, an adversary may need to acquire `SeShutdownPrivilege` (e.g., via [Access Token Manipulation](https://attack.mitre.org/techniques/T1134)).(Citation: Unit42 Agrius 2023) In some cases, the system may not be able to boot again. Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)", "similar_words": [ "System Shutdown/Reboot" ], @@ -28391,7 +29368,8 @@ "attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407": { "name": "MMC", "example_uses": [ - "used Microsoft Management Console Snap-In Control files or MSC files executed via MMC to run follow-on PowerShell commands during ." + "used Microsoft Management Console Snap-In Control files or MSC files executed via MMC to run follow-on PowerShell commands during .", + "has leveraged Microsoft Management Console (MMC) to facilitate lateral movement and to interact locally or remotely with victim devices using the command `mmc.exe compmgmt.msc /computer:{hostname/ip}`." ], "description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)For example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window. Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the Link to Web Address snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc.(Citation: abusing_com_reg)", "similar_words": [ @@ -31957,7 +32935,7 @@ "has added a user named supportaccount to the Remote Desktop Users and Administrators groups.", "has added accounts to specific groups with net localgroup." ], - "description": "An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.On Windows, accounts may use the `net localgroup` and `net group` commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the `usermod` command for the same purpose.(Citation: Linux Usermod)For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003) for elevated privileges. In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.(Citation: RootDSE AD Detection 2022)", + "description": "An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.On Windows, accounts may use the `net localgroup` and `net group` commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the `usermod` command for the same purpose.(Citation: Linux Usermod)For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) to log into the endpoints in the future.(Citation: Microsoft RDP Logons) Adversaries may also add accounts to VPN user groups to gain future persistence on the network.(Citation: Cyber Security News) On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003) for elevated privileges. In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.(Citation: RootDSE AD Detection 2022)", "similar_words": [ "Additional Local or Domain Groups" ], @@ -31987,7 +32965,11 @@ "can create and check for a mutex containing a hash of the `MachineGUID` value at execution to prevent running more than one instance.", "creates a mutex during installation to prevent duplicate execution.", "variants include the use of mutex values based on the victim system name to prevent reinfection.", - "has created a mutex to avoid duplicate execution." + "has created a mutex to avoid duplicate execution.", + "has utilized a hardcoded mutex name of LoadUpOnGunsBringYourFriends using the `CreateMutexW()` function. has also utilized a hardcoded mutex name of IntoTheFloodAgainSameOldTrip.", + "can create a mutex to insure only one instance is running.", + "has leveraged a mutex in its infection process.", + "has created hardcoded mutex to ensure only a single instance of the malware is running." ], "description": "Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)", "similar_words": [ @@ -32043,7 +33025,8 @@ "has used Lua scripts to execute payloads.", "can use modules written in Lua for execution.", "has executed a Lua script through a Lua interpreter for Windows.", - "utilizes Lua scripts for command execution." + "utilizes Lua scripts for command execution.", + "malware has leveraged Lua bytecode to perform malicious behavior." ], "description": "Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).(Citation: Lua main page)(Citation: Lua state)Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)", "similar_words": [ @@ -32064,7 +33047,9 @@ }, "attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696": { "name": "Customer Relationship Management Software", - "example_uses": [], + "example_uses": [ + "During threat actors accessed and exfiltrated sensitive information from compromised Salesforce instances." + ], "description": "Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organizations customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.", "similar_words": [ "Customer Relationship Management Software" @@ -32083,7 +33068,7 @@ "attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280": { "name": "Relocate Malware", "example_uses": [], - "description": "Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.", + "description": "Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders. Moving payloads into target directories does not alter the Creation timestamp, thereby evading detection logic reliant on modifications to this artifact (i.e., [Timestomp](https://attack.mitre.org/techniques/T1070/006)).", "similar_words": [ "Relocate Malware" ], @@ -32108,7 +33093,9 @@ }, "attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792": { "name": "Udev Rules", - "example_uses": [], + "example_uses": [ + "has used udev for persistence." + ], "description": "Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious contents process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)", "similar_words": [ "Udev Rules" @@ -32469,7 +33456,7 @@ "can use malicious browser extensions to steal cookies and other user information.", "can install malicious browser extensions that are used to hijack user searches." ], - "description": "Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores, so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary-controlled server or manipulate the mobile configuration file to silently install additional extensions. Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles; however, .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation: Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek) ", + "description": "Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores, so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary-controlled server or manipulate the mobile configuration file to silently install additional extensions. Adversaries may abuse how chromium-based browsers load extensions by modifying or replacing the Preferences and/or Secure Preferences files to silently install malicious extensions. When the browser is not running, adversaries can alter these files, ensuring the extension is loaded, granted desired permissions, and will persist in browser sessions. This method does not require user consent and extensions are silently loaded in the background from disk or from the browser's trusted store.(Citation: Pulsedive) Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles; however, .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation: Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek) ", "similar_words": [ "Browser Extensions" ], @@ -32477,7 +33464,10 @@ }, "attack-pattern--31e5011f-090e-45be-9bb6-17a1c5e8219b": { "name": "ESXi Administration Command", - "example_uses": [], + "example_uses": [ + "can execute commands on guest virtual machines from compromised ESXi hypervisors.", + "used `vmtoolsd.exe` to run commands on guest virtual machines from a compromised ESXi host." + ], "description": "Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMware Tools Daemon Service, allow for remote management from the ESXi server. The tools daemon service runs as `vmtoolsd.exe` on Windows guest operating systems, `vmware-tools-daemon` on macOS, and `vmtoolsd ` on Linux.(Citation: Broadcom VMware Tools Services) Adversaries may leverage a variety of tools to execute commands on ESXi-hosted VMs for example, by using the vSphere Web Services SDK to programmatically execute commands and scripts via APIs such as `StartProgramInGuest`, `ListProcessesInGuest`, `ListFileInGuest`, and `InitiateFileTransferFromGuest`.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Broadcom Running Guest OS Operations) This may enable follow-on behaviors on the guest VMs, such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083), [Data from Local System](https://attack.mitre.org/techniques/T1005), or [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). ", "similar_words": [ "ESXi Administration Command" @@ -32530,7 +33520,9 @@ }, "attack-pattern--66b34be7-6915-4b83-8d5a-b0f0592b5e41": { "name": "IDE Extensions", - "example_uses": [], + "example_uses": [ + "has leveraged Visual Studio Codes (VSCode) embedded reverse shell feature using the command `code.exe tunnel` to execute code and deliver additional payloads." + ], "description": "Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.(Citation: Mnemonic misuse visual studio) IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., [Compromise Software Dependencies and Development Tools](https://attack.mitre.org/techniques/T1195/001)) or side-loaded directly into the IDE.(Citation: Abramovsky VSCode Security)(Citation: Lakshmanan Visual Studio Marketplace) In addition to installing malicious extensions, adversaries may also leverage benign ones. For example, adversaries may establish persistent SSH tunnels via the use of the VSCode Remote SSH extension (i.e., [IDE Tunneling](https://attack.mitre.org/techniques/T1219/001)). Trust is typically established through the installation process; once installed, the malicious extension is run every time that the IDE is launched. The extension can then be used to execute arbitrary code, establish a backdoor, mine cryptocurrency, or exfiltrate data.(Citation: ExtensionTotal VSCode Extensions 2025)", "similar_words": [ "IDE Extensions" @@ -32557,7 +33549,8 @@ "has used junk code within their DLL files to hinder analysis.", "can use junk code to hide functions and evade detection.", "has used useless code blocks to counter analysis.", - "has been packed with junk code and strings." + "has been packed with junk code and strings.", + "has obfuscated code by filling scripts with junk code and concatenating strings to hamper analysis and detection." ], "description": "Adversaries may use junk code / dead code to obfuscate a malwares functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)No-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.(Citation: ReasonLabs)The use of junk / dead code insertion is distinct from [Binary Padding](https://attack.mitre.org/techniques/T1027/001) because the purpose is to obfuscate the functionality of the code, rather than simply to change the malwares signature. ", "similar_words": [ @@ -32568,7 +33561,10 @@ "attack-pattern--6bc7f9aa-b91f-4b23-84b8-5e756eba68eb": { "name": "Virtual Machine Discovery", "example_uses": [ - "Cheerscrypt has leveraged `esxcli vm process list` in order to gather a list of running virtual machines to terminate them." + "Cheerscrypt has leveraged `esxcli vm process list` in order to gather a list of running virtual machines to terminate them.", + "has used scripts to enumerate ESXi hypervisors and their guest VMs.", + "can detect virtual machine environments.", + "can target specific guest virtual machines for script execution." ], "description": "An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a [Hypervisor CLI](https://attack.mitre.org/techniques/T1059/012) such as `esxcli` or `vim-cmd` (e.g. `esxcli vm process list or vim-cmd vmsvc/getallvms`).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: TrendMicro Play) Adversaries may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host. Adversaries may use the information from [Virtual Machine Discovery](https://attack.mitre.org/techniques/T1673) during discovery to shape follow-on behaviors. Subsequently discovered VMs may be leveraged for follow-on activities such as [Service Stop](https://attack.mitre.org/techniques/T1489) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)", "similar_words": [ @@ -32587,7 +33583,9 @@ }, "attack-pattern--77e29a47-e263-4f11-8692-e5012f44dbac": { "name": "IDE Tunneling", - "example_uses": [], + "example_uses": [ + "has utilized an established Github account to create a tunnel within the victim environment using Visual Studio Code through the `code.exe tunnel` command." + ], "description": "Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, also provide CLI tools (e.g., `code tunnel`) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal.(Citation: sentinelone operationDigitalEye Dec 2024)(Citation: Unit42 Chinese VSCode 06 September 2024)(Citation: Thornton tutorial VSCode shell September 2023)Additionally, adversaries may use IDE tunneling for persistence. Some IDEs, such as Visual Studio Code and JetBrains, support automatic reconnection. Adversaries may configure the IDE to auto-launch at startup, re-establishing the tunnel upon execution. Compromised developer machines may also be exploited as jump hosts to move further into the network.IDE tunneling tools may be built-in or installed as [IDE Extensions](https://attack.mitre.org/techniques/T1176/002).", "similar_words": [ "IDE Tunneling" @@ -32634,7 +33632,9 @@ }, "attack-pattern--c31aebd6-c9b5-420f-ba2a-5853bbf897fa": { "name": "Cloud Application Integration", - "example_uses": [], + "example_uses": [ + "During threat actors deceived victims into authorizing malicious connected apps to their organization's Salesforce portal." + ], "description": "Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends.(Citation: Push Security SaaS Persistence 2022)(Citation: SaaS Attacks GitHub Evil Twin Integrations)OAuth is an open standard that allows users to authorize applications to access their information on their behalf. In a SaaS environment such as Microsoft 365 or Google Workspace, users may integrate applications to improve their workflow and achieve tasks. Leveraging application integrations may allow adversaries to persist in an environment for example, by granting consent to an application from a high-privileged adversary-controlled account in order to maintain access to its data, even in the event of losing access to the account.(Citation: Wiz Midnight Blizzard 2024)(Citation: Microsoft Malicious OAuth Applications 2022)(Citation: Huntress Persistence Microsoft 365 Compromise 2024) In some cases, integrations may remain valid even after the original consenting user account is disabled.(Citation: Push Security Slack Persistence 2023) Application integrations may also allow adversaries to bypass multi-factor authentication requirements through the use of [Application Access Token](https://attack.mitre.org/techniques/T1550/001)s. Finally, they may enable persistent [Automated Exfiltration](https://attack.mitre.org/techniques/T1020) over time.(Citation: Synes Cyber Corner Malicious Azure Application 2023)Creating or adding a new application may require the adversary to create a dedicated [Cloud Account](https://attack.mitre.org/techniques/T1136/003) for the application and assign it [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) for example, in Microsoft 365 environments, an application can only access resources via an associated service principal.(Citation: Microsoft Entra ID Service Principals) ", "similar_words": [ "Cloud Application Integration" @@ -32645,7 +33645,9 @@ "name": "Hypervisor CLI", "example_uses": [ "Cheerscrypt has leveraged `esxcli` in order to terminate running virtual machines.", - "Royal ransomware uses `esxcli` to gather a list of running VMs and terminate them." + "Royal ransomware uses `esxcli` to gather a list of running VMs and terminate them.", + "has used the esxcli command line utility to modify firewall rules install malware and for artifact removal.", + "is capable of command line execution on compromised ESXi servers." ], "description": "Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts. For example, on ESXi systems, tools such as `esxcli` and `vim-cmd` allow administrators to configure firewall rules and log forwarding on the hypervisor, list virtual machines, start and stop virtual machines, and more.(Citation: Broadcom ESXCLI Reference)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: LOLESXi) Adversaries may be able to leverage these tools in order to support further actions, such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).", "similar_words": [ @@ -32663,7 +33665,11 @@ "has used a modified TeamViewer client as a command and control channel.", "used a cloud-based remote access software called LogMeIn for their attacks.", "has used a modified version of TeamViewer and Remote Utilities for remote access.", - "During the threat actors installed the AnyDesk remote desktop application onto the compromised network." + "During the threat actors installed the AnyDesk remote desktop application onto the compromised network.", + "has used legitimate remote monitoring and management (RMM) tools including AnyDesk NinjaOne and Level.io.", + "has downloaded remote management and monitoring software such as AnyDesk for post compromise activities.", + "In addition to directing victims to run remote software members themselves also deploy RMM software including TeamViewer AnyDesk LogMeIn and to establish persistence on the compromised network.", + "During directed victims to run remote monitoring and management (RMM) tools." ], "description": "An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chromes Remote Desktop.(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop) ", "similar_words": [ @@ -32683,7 +33689,7 @@ "attack-pattern--e1c2db92-7ae3-4e6a-90b4-157c1c1565cb": { "name": "Email Spoofing", "example_uses": [], - "description": "Adversaries may fake, or spoof, a senders identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity. This behavior may succeed when the spoofed entity either does not enable or enforce identity authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance (DMARC).(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC) Even if SPF and DKIM are configured properly, spoofing may still succeed when a domain sets a weak DMARC policy such as `v=DMARC1; p=none; fo=1;`. This means that while DMARC is technically present, email servers are not instructed to take any filtering action when emails fail authentication checks.(Citation: Proofpoint TA427 April 2024)(Citation: ic3-dprk)Adversaries may abuse absent or weakly configured SPF, SKIM, and/or DMARC policies to conceal social engineering attempts(Citation: ic3-dprk) such as [Phishing](https://attack.mitre.org/techniques/T1566). They may also leverage email spoofing for [Impersonation](https://attack.mitre.org/techniques/T1656) of legitimate external individuals and organizations, such as journalists and academics.(Citation: ic3-dprk)", + "description": "Adversaries may fake, or spoof, a senders identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity. This behavior may succeed when the spoofed entity either does not enable or enforce identity authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance (DMARC).(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC) Even if SPF and DKIM are configured properly, spoofing may still succeed when a domain sets a weak DMARC policy such as `v=DMARC1; p=none; fo=1;`. This means that while DMARC is technically present, email servers are not instructed to take any filtering action when emails fail authentication checks.(Citation: Proofpoint TA427 April 2024)(Citation: ic3-dprk)Adversaries may abuse Microsoft 365s Direct Send functionality to spoof internal users by using internal devices like printers to send emails without authentication.(Citation: Barnea DirectSend) Adversaries may also abuse absent or weakly configured SPF, SKIM, and/or DMARC policies to conceal social engineering attempts(Citation: ic3-dprk) such as [Phishing](https://attack.mitre.org/techniques/T1566). They may also leverage email spoofing for [Impersonation](https://attack.mitre.org/techniques/T1656) of legitimate external individuals and organizations, such as journalists and academics.(Citation: ic3-dprk)", "similar_words": [ "Email Spoofing" ], @@ -32691,8 +33697,11 @@ }, "attack-pattern--e261a979-f354-41a8-963e-6cadac27c4bf": { "name": "Malicious Copy and Paste", - "example_uses": [], - "description": "An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Malicious websites, such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)(Citation: AhnLab LummaC2 2025)Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.(Citation: Proofpoint ClickFix 2024)(Citation: AhnLab Malicioys Copy Paste 2024)Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files. ", + "example_uses": [ + "The infection chain has been initiated via ClickFix lures in phishing emails.", + "has leveraged ClickFix type tactics enticing victims to copy and paste malicious code." + ], + "description": "An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). One such strategy is \"ClickFix,\" in which adversaries present users with seemingly helpful solutionssuch as prompts to fix errors or complete CAPTCHAsthat instead instruct the user to copy and paste malicious code.Malicious websites, such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)(Citation: AhnLab LummaC2 2025)Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution, consistent with the \"ClickFix\" strategy.(Citation: Proofpoint ClickFix 2024)(Citation: AhnLab Malicioys Copy Paste 2024)Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files. ", "similar_words": [ "Malicious Copy and Paste" ], @@ -32700,7 +33709,10 @@ }, "attack-pattern--f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5": { "name": "vSphere Installation Bundles", - "example_uses": [], + "example_uses": [ + "has used vSphere Installation Bundles (VIBs) to install malware and establish persistence across ESXi hypervisors.", + "has been installed on VMware ESXi servers through malicious vSphere Installation Bundles (VIBs)." + ], "description": "Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.VIBs can be broken down into three components:(Citation: VMware VIBs)* VIB payload: a `.vgz` archive containing the directories and files to be created and executed on boot when the VIBs are loaded. * Signature file: verifies the host acceptance level of a VIB, indicating what testing and validation has been done by VMware or its partners before publication of a VIB. By default, ESXi hosts require a minimum acceptance level of PartnerSupported for VIB installation, meaning the VIB is published by a trusted VMware partner. However, privileged users can change the default acceptance level using the `esxcli` command line interface. Additionally, VIBs are able to be installed regardless of acceptance level by using the esxcli software vib install --force command. * XML descriptor file: a configuration file containing associated VIB metadata, such as the name of the VIB and its dependencies. Adversaries may leverage malicious VIB packages to maintain persistent access to ESXi hypervisors, allowing system changes to be executed upon each bootup of ESXi such as using `esxcli` to enable firewall rules for backdoor traffic, creating listeners on hard coded ports, and executing backdoors.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022) Adversaries may also masquerade their malicious VIB files as PartnerSupported by modifying the XML descriptor file.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "similar_words": [ "vSphere Installation Bundles" @@ -32738,7 +33750,9 @@ "has compressed its data with the LZSS algorithm.", "has obfuscated code using gzip compression.", "has the ability to compress its components.", - "The JavaScript payload has been delivered within a compressed ZIP archive." + "The JavaScript payload has been delivered within a compressed ZIP archive.", + "has delivered malicious payloads within compressed archives and zip files.", + "has been delivered as compressed files within ZIP files to victims." ], "description": "Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., [Fileless Storage](https://attack.mitre.org/techniques/T1027/011)).(Citation: Trustwave Pillowmint June 2020)In order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.(Citation: Perception Point)File archives may be sent as one [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., [Malicious File](https://attack.mitre.org/techniques/T1204/002)).(Citation: NTT Security Flagpro new December 2021) However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.(Citation: The Hacker News)[Compression](https://attack.mitre.org/techniques/T1027/015) may be used in combination with [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013) where compressed files are encrypted and password-protected.", "similar_words": [ @@ -33207,5 +34221,535 @@ "Quick Assist" ], "id": "S1209" + }, + "attack-pattern--248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3": { + "name": "Databases", + "example_uses": [ + "gathered information from SQL servers and Building Management System (BMS) servers during .", + "exfiltrates data of interest from enterprise databases using Adminer.", + "collected data from victim Oracle databases using SQLULDR2.", + "has collected schemas and user accounts from systems running SQL Server.", + "includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.", + "used the tool Adminer to remotely logon to the MySQL service of victim machines.", + "has used a custom .NET tool to collect documents from an organization's internal central database.", + "has the ability to list and extract data from SQL databases." + ], + "description": "Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). Examples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Data collected from databases may be used for [Lateral Movement](https://attack.mitre.org/tactics/TA0008), [Command and Control](https://attack.mitre.org/tactics/TA0011), or [Exfiltration](https://attack.mitre.org/tactics/TA0010). Data exfiltrated from databases may also be used to extort victims or may be sold for profit.(Citation: Google Cloud Threat Intelligence UNC5537 Snowflake 2024)", + "similar_words": [ + "Databases" + ], + "id": "T1213.006" + }, + "attack-pattern--4a6cfdae-1417-40c7-a84e-f59d21c58266": { + "name": "Backup Software Discovery", + "example_uses": [ + "has utilized the PowerShell script `Get-DataInfo.ps1` to collect installed backup software information from a compromised machine." + ], + "description": "Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape follow-on behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485), [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486). Commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), `reg query` with [Reg](https://attack.mitre.org/software/S0075), `dir` with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for, such as Veeam, Acronis, Dropbox, or Paragon.(Citation: Symantec Play Ransomware 2023)", + "similar_words": [ + "Backup Software Discovery" + ], + "id": "T1518.002" + }, + "attack-pattern--63b24abc-5702-4745-b1e4-ac70b20a43f2": { + "name": "Search Threat Vendor Data", + "example_uses": [ + "has replaced indicators mentioned in open-source threat intelligence publications at times under a week after their release.", + "has registered accounts with Threat Intelligence vendor services to check for reporting associated with their infrastructure and to evaluate new potential infrastructure." + ], + "description": "Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. These reports may include descriptions of behavior, detailed breakdowns of attacks, atomic indicators such as malware hashes or IP addresses, timelines of a groups activity, and more. Adversaries may change their behavior when planning their future operations. Adversaries have been observed replacing atomic indicators mentioned in blog posts in under a week.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023) Adversaries have also been seen searching for their own domain names in threat vendor data and then taking them down, likely to avoid seizure or further investigation.(Citation: Sentinel One Contagious Interview ClickFix September 2025)This technique is distinct from [Threat Intel Vendors](https://attack.mitre.org/techniques/T1597/001) in that it describes threat actors performing reconnaissance on their own activity, not in search of victim information. ", + "similar_words": [ + "Search Threat Vendor Data" + ], + "id": "T1681" + }, + "attack-pattern--73b24a10-6bf4-4af1-a81e-67b8bcb6c4e6": { + "name": "Malicious Library", + "example_uses": [ + "has relied on users to install a malicious library from a code repository to infect the victim's device and has led to additional payload distribution and theft of sensitive data." + ], + "description": "Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may [Upload Malware](https://attack.mitre.org/techniques/T1608/001) to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency.(Citation: Datadog Security Labs Malicious PyPi Packages 2024)(Citation: Fortinet Malicious NPM Packages 2023)In some cases, threat actors may compromise and backdoor existing popular libraries (i.e., [Compromise Software Dependencies and Development Tools](https://attack.mitre.org/techniques/T1195/001)). Alternatively, they may create entirely new packages and leverage behaviors such as typosquatting to encourage users to install them.", + "similar_words": [ + "Malicious Library" + ], + "id": "T1204.005" + }, + "attack-pattern--7655ac3b-dfde-49c5-a967-242856174434": { + "name": "Poisoned Pipeline Execution", + "example_uses": [], + "description": "Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process. There are several mechanisms for poisoning pipelines: * In a Direct Pipeline Execution scenario, the threat actor directly modifies the CI configuration file (e.g., `gitlab-ci.yml` in GitLab). They may include a command to exfiltrate credentials leveraged in the build process to a remote server, or to export them as a workflow artifact.(Citation: Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025)(Citation: OWASP CICD-SEC-4)* In an Indirect Pipeline Execution scenario, the threat actor injects malicious code into files referenced by the CI configuration file. These may include makefiles, scripts, unit tests, and linters.(Citation: OWASP CICD-SEC-4)* In a Public Pipeline Execution scenario, the threat actor does not have direct access to the repository but instead creates a malicious pull request from a fork that triggers a part of the CI/CD pipeline. For example, in GitHub Actions, the `pull_request_target` trigger allows workflows running from forked repositories to access secrets. If this trigger is combined with an explicit pull request checkout and a location for a threat actor to insert malicious code (e.g., an `npm build` command), a threat actor may be able to leak pipeline credentials.(Citation: Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025)(Citation: GitHub Security Lab GitHub Actions Security 2021) Similarly, threat actors may craft pull requests with malicious inputs (such as branch names) if the build pipeline treats those inputs as trusted.(Citation: Wiz Ultralytics AI Library Hijack 2024)(Citation: Synactiv Hijacking GitHub Runners)(Citation: GitHub Security Labs GitHub Actions Security Part 2 2021) Finally, if a pipeline leverages a self-hosted runner, a threat actor may be able to execute arbitrary code on a host inside the organizations network.(Citation: John Stawinski PyTorch Supply Chain Attack 2024)By poisoning CI/CD pipelines, threat actors may be able to gain access to credentials, laterally move to additional hosts, or input malicious components to be shipped further down the pipeline (i.e., [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195)). ", + "similar_words": [ + "Poisoned Pipeline Execution" + ], + "id": "T1677" + }, + "attack-pattern--9b00925a-7c4b-4e53-bfc8-9a6a806fde03": { + "name": "Selective Exclusion", + "example_uses": [ + "has avoided specified files file extensions and folders to ensure successful execution of the payload and continued operations of the impacted device.", + "has the capability to scan for file names file extensions and avoids pre-designated path names and file types.", + "has avoided encrypting specific files and directories by leveraging a regular expression within the ransomware binary." + ], + "description": "Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some file extensions that adversaries may avoid encrypting include `.dll`, `.exe`, and `.lnk`.(Citation: Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024) Adversaries may perform this behavior to avoid alerting users, to evade detection by security tools and analysts, or, in the case of ransomware, to ensure that the system remains operational enough to deliver the ransom notice. Exclusions may target files and components whose corruption would cause instability, break core services, or immediately expose the attack. By carefully avoiding these areas, adversaries maintain system responsiveness while minimizing indicators that could trigger alarms or otherwise inhibit achieving their goals. ", + "similar_words": [ + "Selective Exclusion" + ], + "id": "T1679" + }, + "attack-pattern--a0f84e1d-d25c-4dd1-bb26-3c0e68471530": { + "name": "Disable or Modify Network Device Firewall", + "example_uses": [ + "have created firewall exemptions on specific ports including ports 443 6443 8443 and 9443.", + "can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level." + ], + "description": "Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage. Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions.(Citation: Exposed Fortinet Fortigate firewall interface leads to LockBit Ransomware)Adversaries may gain access to the firewall management console via [Valid Accounts](https://attack.mitre.org/techniques/T1078) or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190).(Citation: CVE-2024-55591 Detail)", + "similar_words": [ + "Disable or Modify Network Device Firewall" + ], + "id": "T1562.013" + }, + "attack-pattern--a1df809c-7d0e-459f-8fe5-25474bab770b": { + "name": "Delay Execution", + "example_uses": [ + "has the ability to pause operations for a specified duration prior to follow-on execution of activities.", + "has delayed the execution of payloads leveraging ping echo requests `cmd /c ping 8.8.8.8 -n 70&&%temp%\\`.", + "During the 's software generates a randomly selected date that is between 1-4 weeks in the future. This timestamp is then checked against the current time of the compromised machine and the malware will sleep until that time is encountered.", + "has used a config file $.ini to store a sleep multiplier to execute at a set interval value prior to initiating a watcher function that checks for a specific running process that checks for removable drives and installs itself and supporting files if one is available." + ], + "description": "Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox environments or natively on host systems. Adversaries may utilize programmatic `sleep` commands or native system scheduling functionality, for example [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053). Benign commands or other operations may also be used to delay malware execution or ensure prior commands have had time to execute properly. Loops or otherwise needless repetitions of commands, such as `ping`, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)", + "similar_words": [ + "Delay Execution" + ], + "id": "T1678" + }, + "attack-pattern--afac5dbc-4383-4fb6-9ba6-45b25d49e530": { + "name": "Browser Fingerprint", + "example_uses": [ + "has attempted to mimic a compromised user's traffic by using the same user agent as the installed browser." + ], + "description": "Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTPUser-Agentrequest headeris a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requestinguser agent.(Citation: Mozilla User Agent)Adversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)", + "similar_words": [ + "Browser Fingerprint" + ], + "id": "T1036.012" + }, + "attack-pattern--c283d88f-8c23-4318-9da5-3d50cecad756": { + "name": "Container CLI/API", + "example_uses": [ + "TeamTNT targeted misconfigured containers and used container CLI tools." + ], + "description": "Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments.The Docker CLI is used for managing containers via an exposed API point from the `dockerd` daemon. Some common examples of Docker CLI include Docker Desktop CLI and Docker Compose, but users are also able to use SDKs to interact with the API. For example, Docker SDK for Python can be used to run commands within a Python application.(Citation: Docker Desktop CLI)Adversaries may leverage the Docker CLI, API, or SDK to pull or build Docker images (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Build Image on Host](https://attack.mitre.org/techniques/T1612)), run containers (i.e., [Deploy Container](https://attack.mitre.org/techniques/T1610)), or execute commands inside running containers (i.e., [Container Administration Command](https://attack.mitre.org/techniques/T1609)). In some cases, threat actors may pull legitimate images that include scripts or tools that they can leverage - for example, using an image that includes the `curl` command to download payloads.(Citation: Intezer) Adversaries may also utilize `docker inspect` and `docker ps` to scan for cloud environment variables and other running containers (i.e., [Container and Resource Discovery](https://attack.mitre.org/techniques/T1613)).(Citation: Cisco Talos Blog)(Citation: aquasec)Kubernetes is responsible for the management and orchestration of containers across clusters. The Kubernetes control plane, which manages the state of the cluster and is responsible for scheduling, communication, and resource monitoring, can be invoked directly via the API or indirectly via CLI tools such as `kubectl`. It may also be accessed within client libraries such as Go or Python. By utilizing the API, administrators can interact with resources within the cluster such as listing or creating pods, which is a group of one or more containers. Adversaries call the API server via `curl` or other tools, allowing them to obtain further information about the environment such as pods, deployments, daemonsets, namespaces, or sysvars.(Citation: aquasec) They may also run various commands regarding resource management.", + "similar_words": [ + "Container CLI/API" + ], + "id": "T1059.013" + }, + "attack-pattern--c5087385-9b7c-4488-9923-d9e370bf08df": { + "name": "Python Startup Hooks", + "example_uses": [], + "description": "Adversaries may achieve persistence by leveraging Pythons startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked.(Citation: Volexity GlobalProtect CVE 2024)Path configuration files are designed to extend Pythons module search paths through the use of import statements. If a `.pth` file is placed in Python's `site-packages` or `dist-packages` directories, any lines beginning with `import` will be executed automatically on Python invocation.(Citation: DFIR Python Persistence 2025) Similarly, if `sitecustomize.py` or `usercustomize.py` is present in the Python path, these files will be imported during interpreter startup, and any code they contain will be executed.(Citation: Python Site Configuration Hook)Adversaries may abuse these mechanisms to establish persistence on systems where Python is widely used (e.g., for automation or scripting in production environments). ", + "similar_words": [ + "Python Startup Hooks" + ], + "id": "T1546.018" + }, + "attack-pattern--f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3": { + "name": "Local Storage Discovery", + "example_uses": [ + "has searched for disk partition and logical volume information.", + "has collected disk information from a victim machine.", + "can use the `IOCTL_DISK_GET_DRIVE_GEOMETRY_EX` `IOCTL_DISK_GET_DRIVE_GEOMETRY` and `IOCTL_DISK_GET_LENGTH_INFO` system calls to compute disk size.", + "can obtain the number of drives on the victim machine.", + "can enumerate local drives disk type and disk free space.", + "gathers logical drives information and volume information.", + "can use `GetlogicalDrives` to get a bitmask of all drives available on a compromised system. It can also use `GetDriveType` to determine if a new drive is a CD-ROM drive.", + "gathers the the serial number of the main disk volume.", + "has checked to ensure there is enough disk space using the Unix utility `df`.", + "During issued `ping -n 1 ((cmd /c dir c:\\|findstr Number).split()[-1]+` commands to find the volume serial number of compromised systems.", + "can enumerate local drives on a compromised host.", + "has the ability to identify the system volume information of a compromised host.", + "can collect a system's drive information.", + "can discover logical drive information including the drive type free space and volume information.", + "retrieves the hard disk name by calling the CreateFileA to \\\\.\\PHYSICALDRIVE0 API.", + "can create unique victim identifiers by using the compromised systems volume ID.", + "can gather drive information from the victim's machine.", + "has collected a list of all mapped drives on the infected host.", + "uses the Delphi methods Sysutils::DiskSize and GlobalMemoryStatusEx to collect disk size and physical memory as part of the malware's anti-analysis checks for running in a virtualized environment.", + "collects the victims volume serial number.", + "can enumerate local drive configuration.", + "can identify drives on compromised hosts.", + "can retrieve information about storage drives from an infected machine.", + "can check the disk size through the values obtained with `DeviceInfo.`", + "collects the volume serial number from the victim and sends the information to its C2 server.", + "can collect information about disk drives their total and free space and file system type.", + "has retrieved the disk serial number of the device using WMI query `SELECT volumeserialnumber FROM win32_logicaldisk where Name =C:` to identify the victim machine.", + "has the ability to list drives.", + "has discovered file system types drive names size and free space on compromised systems.", + "creates a backdoor through which remote attackers can retrieve information like free disk space.", + "has enumerated logical drives on infected hosts.", + "can discover and mount hidden drives to encrypt them.", + "can enumerate drives on a compromised host.", + "collects volume information for all drives on the system.", + "can report the disk space of a compromised host to C2.", + "can gather information on connected drives and disk space from the victims machine.", + "can enumerate local drives.", + "has used a file stealer that can examine system drives including those other than the C drive.", + "can detect system information--including disk names total space and remaining space--to create a hardware profile GUID which acts as a system identifier for operators.", + "can enumerate local drive configuration.", + "has used `GetLogicalDrives()` and `EnumResourceW()` to locate mounted drives and shares.", + "can obtain information on physical drives from targeted hosts.", + "can enumerate volumes.", + "collects the serial number for the storage volume C:\\.", + "has the ability to collect the C:\\ drive serial number from a compromised machine.", + "has been observed collecting victim machine volume information.", + "can gather information on the mapped drives and system volume serial number.", + "can enumerate logical drives on a target system.", + "has called GetLogicalDrives to emumerate all mounted drives and GetDriveTypeW to determine the drive type.", + "has the capability to collect information on disk devices.", + "has detected a target systems system volume information.", + "can collect disk space information on victim machines by executing .", + "can enumerate logical drives on targeted devices.", + "PUBLOAD has leveraged `wmic logicaldisk get` to map local network drives.", + "can enumerate all drives on a compromised host.", + "can identify the hard disk volume serial number on a compromised host.", + "has the ability to send system volume information to C2.", + "can enumerate physical drives on a targeted host.", + "A Destover-like variant used by collects disk space information and sends it to its C2 server.", + "During the used `fsutil` to check available free space before executing actions that might create large files on disk.", + "can discover logical drive information on compromised hosts.", + "can collect information about the drives available on the system.", + "can identify system drive information on a compromised host.", + "has the ability to enumerate fixed logical drives on a targeted system.", + "collected the system volume serial number.", + "enumerated all available drives on the victim's machine.", + "can enumerate attached drives.", + "can gather information on drives on the victims machine.", + "can collect information related to a compromised host including a list of drives.", + "can use a plugin to enumerate system drives.", + "has used `fsutil fsinfo drives` `systeminfo` and `vssadmin list shadows` for system information including shadow volumes and drive information.", + "can enumerate the system drives and associated system name.", + "gathers volume drive information.", + "has collected disk information including type and free space available.", + "can collect system drive and disk size information.", + "can collect information about a compromised computer's disk sizes.", + "can collect information about installed disks from the victim.", + "collects volume serial number from the victim.", + "gathers information on local drives.", + "can gather the disk volume information.", + "has discovered system information including volume serial numbers.", + "gathers disk type and disk free space.", + "can collect drive information from a compromised host.", + "collects disk space information.", + "can enumerate disk volumes get disk information and query service status.", + "has the ability to identify the host volume ID.", + "obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum. Another variant gathers the victim storage volume serial number and the storage device name.", + "can use `GetLogicalDrives` to enumerate logical drives.", + "can use DriveList to retrieve drive information.", + "can enumerate logical drives on a target system.", + "During threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model.", + "has collected information on bootable drives including model vendor and serial numbers.", + "can enumerate all logical drives on a targeted machine.", + "has the ability to list local drives.", + "can detect drive information including drive type total number of bytes on disk total number of free bytes on disk and name of a specified volume.", + "has the ability to identify disk information on a compromised host.", + "has enumerated drives.", + "monitors the free disk space on the system.", + "contains a command to collect disk drive information." + ], + "description": "Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0109), or as a precursor to [Direct Volume Access](https://attack.mitre.org/techniques/T1006). On ESXi systems, adversaries may use [Hypervisor CLI](https://attack.mitre.org/techniques/T1059/012) commands such as `esxcli` to list storage connected to the host as well as `.vmdk` files.(Citation: TrendMicro)(Citation: TrendMicro ESXI Ransomware)On Windows systems, adversaries can use `wmic logicaldisk get` to find information about local network drives. They can also use `Get-PSDrive` in PowerShell to retrieve drives and may additionally use Windows API functions such as `GetDriveType`.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Volexity)Linux has commands such as `parted`, `lsblk`, `fdisk`, `lshw`, and `df` that can list information about disk partitions such as size, type, file system types, and free space. The command `diskutil` on MacOS can be used to list disks while `system_profiler SPStorageDataType` can additionally show information such as a volumes mount path, file system, and the type of drive in the system. Infrastructure as a Service (IaaS) cloud providers also have commands for storage discovery such as `describe volume` in AWS, `gcloud compute disks list` in GCP, and `az disk list` in Azure.(Citation: AWS docs describe volumes)(Citation: GCP gcloud compute disks list)(Citation: azure az disk)", + "similar_words": [ + "Local Storage Discovery" + ], + "id": "T1680" + }, + "malware--0a615414-1dad-4131-802d-38f5d72ef852": { + "name": "MEDUSA", + "description": "[MEDUSA](https://attack.mitre.org/software/S1220) is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and logging credentials.(Citation: Google Cloud Mandiant UNC3886 2024)", + "examples": [], + "example_uses": [], + "similar_words": [ + "MEDUSA" + ], + "id": "S1220" + }, + "malware--0bf64997-7ce1-43e5-b01a-bcd2bf5dc87f": { + "name": "PAKLOG", + "description": "[PAKLOG](https://attack.mitre.org/software/S1233) is a keylogger known to be leveraged by [Mustang Panda](https://attack.mitre.org/groups/G0129) and was first observed utilized in 2024. [PAKLOG](https://attack.mitre.org/software/S1233) is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious [PAKLOG](https://attack.mitre.org/software/S1233) DLL (pa_lang2.dll). The PACLOUD.exe binary is used to side-load the [PAKLOG](https://attack.mitre.org/software/S1233) DLL which starts with the keylogger functionality.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", + "examples": [], + "example_uses": [], + "similar_words": [ + "PAKLOG" + ], + "id": "S1233" + }, + "malware--15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1": { + "name": "CASTLETAP", + "description": "[CASTLETAP](https://attack.mitre.org/software/S1224) is an ICMP port knocking backdoor that has been installed on compromised FortiGate firewalls by [UNC3886](https://attack.mitre.org/groups/G1048).(Citation: Mandiant Fortinet Zero Day)", + "examples": [], + "example_uses": [], + "similar_words": [ + "CASTLETAP" + ], + "id": "S1224" + }, + "malware--1996aed9-6234-4c1d-a145-e8a4913679dd": { + "name": "Havoc", + "description": "[Havoc](https://attack.mitre.org/software/S1229) is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it with community contributors. [Havoc](https://attack.mitre.org/software/S1229) provides a wide range of offensive security capabilities and has been adopted by multiple threat actors to establish and maintain control over compromised systems.", + "examples": [], + "example_uses": [], + "similar_words": [ + "Havoc" + ], + "id": "S1229" + }, + "malware--1dac60f2-7d53-4a3e-95d1-cb2e875d5491": { + "name": "InvisibleFerret", + "description": "[InvisibleFerret](https://attack.mitre.org/software/S1245) is a modular python malware that is leveraged for data exfiltration and remote access capabilities.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) [InvisibleFerret](https://attack.mitre.org/software/S1245) consists of four modules: main, payload, browser, and AnyDesk.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025) [InvisibleFerret](https://attack.mitre.org/software/S1245) malware has been leveraged by North Korea-affiliated threat actors identified as DeceptiveDevelopment or [Contagious Interview](https://attack.mitre.org/groups/G1052) since 2023.(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024) [InvisibleFerret](https://attack.mitre.org/software/S1245) has historically been introduced to the victim environment through the use of the [BeaverTail](https://attack.mitre.org/software/S1246) malware.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)", + "examples": [], + "example_uses": [], + "similar_words": [ + "InvisibleFerret" + ], + "id": "S1245" + }, + "malware--2683fde8-1dc4-415c-94bd-9bb95cc5b7ff": { + "name": "TONESHELL", + "description": "[TONESHELL](https://attack.mitre.org/software/S1239) is a custom backdoor that has been used since at least Q1 2021.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023) [TONESHELL](https://attack.mitre.org/software/S1239) malware has previously been leveraged by Chinese affiliated actors identified as [Mustang Panda](https://attack.mitre.org/groups/G0129).(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Zscaler)", + "examples": [], + "example_uses": [], + "similar_words": [ + "TONESHELL" + ], + "id": "S1239" + }, + "malware--28d93902-30e7-4436-8885-6d312c51c9a3": { + "name": "Medusa Ransomware", + "description": "[Medusa Ransomware](https://attack.mitre.org/software/S1244) has been utilized in attacks since at least 2021. [Medusa Ransomware](https://attack.mitre.org/software/S1244) has been known to be utilized in conjunction with living off the land techniques and remote management software. [Medusa Ransomware](https://attack.mitre.org/software/S1244) has been used in campaigns associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. [Medusa Ransomware](https://attack.mitre.org/software/S1244) software was initially a closed ransomware variant which later evolved to a Ransomware as a Service (RaaS). [Medusa Ransomware](https://attack.mitre.org/software/S1244) has impacted victims from a diverse range of sectors within a multitude of countries, and it is assessed [Medusa Ransomware](https://attack.mitre.org/software/S1244) is used in an opportunistic manner.(Citation: CISA Medusa Group Medusa Ransomware March 2025)(Citation: Security Scorecard Medusa Ransomware January 2024)(Citation: Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024)(Citation: Broadcom Medusa Ransomware Medusa Group March 2025)", + "examples": [], + "example_uses": [], + "similar_words": [ + "Medusa Ransomware" + ], + "id": "S1244" + }, + "malware--2ceddaf9-b16a-4f8b-b252-bcccccd3d79f": { + "name": "BOOKWORM", + "description": "[BOOKWORM](https://attack.mitre.org/software/S1226) is a modular trojan known to be leveraged by [Mustang Panda](https://attack.mitre.org/groups/G0129) and was first observed utilized in 2015. [BOOKWORM](https://attack.mitre.org/software/S1226) was later updated in late 2021 and the fall of 2022 to launch shellcode represented as UUID parameters. (Citation: Broadcom)(Citation: Unit42 Bookworm Nov2015)(Citation: Palo Alto Networks, Unit 42)", + "examples": [], + "example_uses": [], + "similar_words": [ + "BOOKWORM" + ], + "id": "S1226" + }, + "malware--301e7370-c3d3-4f3e-893f-8a79345c2eb5": { + "name": "STATICPLUGIN", + "description": "[STATICPLUGIN](https://attack.mitre.org/software/S1238) is a downloader known to be leveraged by [Mustang Panda](https://attack.mitre.org/groups/G0129) and was first observed utilized in 2025. [STATICPLUGIN](https://attack.mitre.org/software/S1238) has utilized a valid certificate in order to bypass endpoint security protections. [STATICPLUGIN](https://attack.mitre.org/software/S1238) masqueraded as legitimate software installer by using a custom TForm. [STATICPLUGIN](https://attack.mitre.org/software/S1238) has been leveraged to deploy a loader that facilitates follow on malware.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", + "examples": [], + "example_uses": [], + "similar_words": [ + "STATICPLUGIN" + ], + "id": "S1238" + }, + "malware--351b63d3-7b2c-4ede-b3fe-ff291527b397": { + "name": "THINCRUST", + "description": "[THINCRUST](https://attack.mitre.org/software/S1223) is a Python-based backdoor tool that has been used by [UNC3886](https://attack.mitre.org/groups/G1048) since at least 2023.(Citation: Mandiant Fortinet Zero Day)", + "examples": [], + "example_uses": [], + "similar_words": [ + "THINCRUST" + ], + "id": "S1223" + }, + "malware--3824852d-1957-4712-9da0-38143723c060": { + "name": "PUBLOAD", + "description": "[PUBLOAD](https://attack.mitre.org/software/S1228) is a stager malware that has been observed installing itself in existing directories such as `C:\\Users\\Public` or creating new directories to stage the malware and its components.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) [PUBLOAD](https://attack.mitre.org/software/S1228) malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2. [PUBLOAD](https://attack.mitre.org/software/S1228) malware has previously been leveraged by China-affiliated actors identified as [Mustang Panda](https://attack.mitre.org/groups/G0129). [PUBLOAD](https://attack.mitre.org/software/S1228) is also known as “NoFive” and some public reporting identifies the loader component as [CLAIMLOADER](https://attack.mitre.org/software/S1236).(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", + "examples": [], + "example_uses": [], + "similar_words": [ + "PUBLOAD" + ], + "id": "S1228" + }, + "malware--3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44": { + "name": "CANONSTAGER", + "description": "[CANONSTAGER](https://attack.mitre.org/software/S1237) is a loader known to be leveraged by [Mustang Panda](https://attack.mitre.org/groups/G0129) and was first observed utilized in 2025. [Mustang Panda](https://attack.mitre.org/groups/G0129) utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. [CANONSTAGER](https://attack.mitre.org/software/S1237) leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. [CANONSTAGER](https://attack.mitre.org/software/S1237) also hides its code utilizing window procedures and message queues.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", + "examples": [], + "example_uses": [], + "similar_words": [ + "CANONSTAGER" + ], + "id": "S1237" + }, + "malware--3d7048f1-012e-468c-a18b-1bf98037d62c": { + "name": "HexEval Loader", + "description": "[HexEval Loader](https://attack.mitre.org/software/S1249) is a hex-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the [BeaverTail](https://attack.mitre.org/software/S1246) malware. [HexEval Loader](https://attack.mitre.org/software/S1249) was first reported in April 2025. [HexEval Loader](https://attack.mitre.org/software/S1249) has previously been leveraged by North Korea-affiliated threat actors identified as [Contagious Interview](https://attack.mitre.org/groups/G1052). [HexEval Loader](https://attack.mitre.org/software/S1249) has been delivered to victims through code repository sites utilizing typosquatting naming conventions of various npm packages.(Citation: Socket Contagious Interview NPM April 2025)(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", + "examples": [], + "example_uses": [], + "similar_words": [ + "HexEval Loader" + ], + "id": "S1249" + }, + "malware--47e4b55a-7803-4bf5-822c-906a1ecbdd6e": { + "name": "CLAIMLOADER", + "description": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) is a malware variant that frequently accompanies legitimate executables that are used for DLL side-loading known to be leveraged by [Mustang Panda](https://attack.mitre.org/groups/G0129) and was first observed utilized in 2021.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", + "examples": [], + "example_uses": [], + "similar_words": [ + "CLAIMLOADER" + ], + "id": "S1236" + }, + "malware--4ea492ee-36f8-4017-938f-d01ce951ef94": { + "name": "REPTILE", + "description": "[REPTILE](https://attack.mitre.org/software/S1219) is an open-source Linux rootkit with multiple components that provides backdoor access and functionality.(Citation: Google Cloud Mandiant UNC3886 2024)", + "examples": [], + "example_uses": [], + "similar_words": [ + "REPTILE" + ], + "id": "S1219" + }, + "malware--6055aee2-d1c6-4877-94e9-a3bde9936470": { + "name": "BeaverTail", + "description": "[BeaverTail](https://attack.mitre.org/software/S1246) is a malware that has both a JavaScript and C++ variant. Active since 2022, [BeaverTail](https://attack.mitre.org/software/S1246) is capable of stealing logins from browsers and serves as a downloader for second stage payloads. [BeaverTail](https://attack.mitre.org/software/S1246) has previously been leveraged by North Korea-affiliated actors identified as DeceptiveDevelopment or [Contagious Interview](https://attack.mitre.org/groups/G1052). [BeaverTail](https://attack.mitre.org/software/S1246) has been delivered to victims through code repository sites and has been embedded within malicious attachments.(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", + "examples": [], + "example_uses": [], + "similar_words": [ + "BeaverTail" + ], + "id": "S1246" + }, + "malware--6114c345-4c09-42ce-8d37-aef16360a7f3": { + "name": "SplatDropper", + "description": "[SplatDropper](https://attack.mitre.org/software/S1232) is a loader that utilizes native windows API to deliver its payload to the victim environment. [SplatDropper](https://attack.mitre.org/software/S1232) has been delivered through RAR archives and used legitimate executable for DLL side-loading. [SplatDropper](https://attack.mitre.org/software/S1232) is known to be leveraged by [Mustang Panda](https://attack.mitre.org/groups/G0129) and was first observed utilized in 2025.", + "examples": [], + "example_uses": [], + "similar_words": [ + "SplatDropper" + ], + "id": "S1232" + }, + "malware--7cc63f0f-f24f-4cda-9e9f-61bde1d52297": { + "name": "VIRTUALPIE", + "description": "[VIRTUALPIE](https://attack.mitre.org/software/S1218) is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. [VIRTUALPIE](https://attack.mitre.org/software/S1218) has been in use since at least 2022 including by [UNC3886](https://attack.mitre.org/groups/G1048) who installed it via malicious vSphere Installation Bundles (VIBs).(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", + "examples": [], + "example_uses": [], + "similar_words": [ + "VIRTUALPIE" + ], + "id": "S1218" + }, + "malware--82adb90e-43b8-4bce-9efe-afeba65457b2": { + "name": "Embargo", + "description": "[Embargo](https://attack.mitre.org/software/S1247) is a ransomware variant written in Rust that has been active since at least May 2024.(Citation: Cyble Embargo Ransomware May 2024)(Citation: ESET Embargo Ransomware October 2024) [Embargo](https://attack.mitre.org/software/S1247) ransomware operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid.(Citation: Cyble Embargo Ransomware May 2024)(Citation: ESET Embargo Ransomware October 2024) [Embargo](https://attack.mitre.org/software/S1247) ransomware has been known to be delivered through a loader known as MDeployer which also leverages a malware component known as MS4Killer that facilitates termination of processes operating on the victim hosts.(Citation: ESET Embargo Ransomware October 2024) [Embargo](https://attack.mitre.org/software/S1247) is also reportedly a Ransomware as a Service (RaaS).(Citation: ESET Embargo Ransomware October 2024)", + "examples": [], + "example_uses": [], + "similar_words": [ + "Embargo" + ], + "id": "S1247" + }, + "malware--8c8e8b01-b4b1-479b-a7a9-78c40a12b916": { + "name": "RedLine Stealer", + "description": "[RedLine Stealer](https://attack.mitre.org/software/S1240) is an information-stealer malware variant first identified in 2020.(Citation: ESET RedLine Stealer November 2024)(Citation: Proofpoint RedLine Stealer March 2020)(Citation: Splunk RedLine Stealer June 2023) [RedLine Stealer](https://attack.mitre.org/software/S1240) is a Malware as a Service (MaaS) and was reportedly sold as either a one-time purchase or a monthly subscription service.(Citation: ESET RedLine Stealer November 2024)(Citation: Veriti RedLine Stealer MAAS April 2023) Information obtained from [RedLine Stealer](https://attack.mitre.org/software/S1240) has been known to be sold on the deep and dark web to Initial Access Brokers (IABs), who use or resell the stolen credentials for further intrusions.(Citation: Kroll RedLine Stealer August 2024)(Citation: Veriti RedLine Stealer MAAS April 2023)", + "examples": [], + "example_uses": [], + "similar_words": [ + "RedLine Stealer" + ], + "id": "S1240" + }, + "malware--9fd4e24b-3b12-4c7c-925f-226e2e3c3758": { + "name": "CorKLOG", + "description": "[CorKLOG](https://attack.mitre.org/software/S1235) is a keylogger known to be leveraged by [Mustang Panda](https://attack.mitre.org/groups/G0129) and was first observed utilized in 2024. [CorKLOG](https://attack.mitre.org/software/S1235) is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the [CorKLOG](https://attack.mitre.org/software/S1235) DLL (mscorsvc.dll). [CorKLOG](https://attack.mitre.org/software/S1235) has established persistence on the system by creating services or with scheduled tasks.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", + "examples": [], + "example_uses": [], + "similar_words": [ + "CorKLOG" + ], + "id": "S1235" + }, + "malware--bfcb4a75-b6f0-489b-b506-836bfba3d70e": { + "name": "MOPSLED", + "description": "[MOPSLED](https://attack.mitre.org/software/S1221) is a shellcode-based modular backdoor that has been used by China-nexus cyber espionage actors including [UNC3886](https://attack.mitre.org/groups/G1048) and [APT41](https://attack.mitre.org/groups/G0096).(Citation: Google Cloud Mandiant UNC3886 2024)", + "examples": [], + "example_uses": [], + "similar_words": [ + "MOPSLED" + ], + "id": "S1221" + }, + "malware--d0270367-37fc-471e-9206-483582c5f47d": { + "name": "RIFLESPINE", + "description": "[RIFLESPINE](https://attack.mitre.org/software/S1222) is a cross-platform backdoor that leverages Google Drive for file transfer and command execution.(Citation: Google Cloud Mandiant UNC3886 2024)", + "examples": [], + "example_uses": [], + "similar_words": [ + "RIFLESPINE" + ], + "id": "S1222" + }, + "malware--da43312a-0188-4949-bab3-0df9a5df0aba": { + "name": "HIUPAN", + "description": "[HIUPAN](https://attack.mitre.org/software/S1230) (aka U2DiskWatch) is a is a worm that propagates through removable drives known to be leveraged by [Mustang Panda](https://attack.mitre.org/groups/G0129) and was first observed utilized in 2024. (Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", + "examples": [], + "example_uses": [], + "similar_words": [ + "HIUPAN" + ], + "id": "S1230" + }, + "malware--df0b59fe-0193-49ea-84e1-9207139c716c": { + "name": "VIRTUALPITA", + "description": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. [VIRTUALPITA](https://attack.mitre.org/software/S1217) has been in use since at least 2022 including by [UNC3886](https://attack.mitre.org/groups/G1048) who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", + "examples": [], + "example_uses": [], + "similar_words": [ + "VIRTUALPITA" + ], + "id": "S1217" + }, + "malware--e23d2777-b85d-44fc-861e-9149d399fbb9": { + "name": "Qilin", + "description": "[Qilin](https://attack.mitre.org/software/S1242) ransomware is a Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with versions written in Golang and Rust that are capable of targeting Windows or VMWare ESXi devices. [Qilin](https://attack.mitre.org/software/S1242) shares functionality overlaps with [Black Basta](https://attack.mitre.org/software/S1070), [REvil](https://attack.mitre.org/software/S0496), and [BlackCat](https://attack.mitre.org/software/S1068) ransomware and its RaaS affiliates have been observed targeting multiple sectors worldwide, including healthcare and education in Asia, Europe, and Africa. (Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022)(Citation: BushidoToken Qilin RaaS JUN 2024)(Citation: Sophos Qilin MSP APR 2025)", + "examples": [], + "example_uses": [], + "similar_words": [ + "Qilin" + ], + "id": "S1242" + }, + "malware--e91d3543-ca5d-474b-8b20-5a753ebc6e49": { + "name": "StarProxy", + "description": "[StarProxy](https://attack.mitre.org/software/S1227) is custom malware used by [Mustang Panda](https://attack.mitre.org/groups/G0129) as a post-compromise tool, to enable proxying of traffic between the infected machine and other machines on the same network. (Citation: Zscaler)", + "examples": [], + "example_uses": [], + "similar_words": [ + "StarProxy" + ], + "id": "S1227" + }, + "malware--f39c6d39-0165-46db-a7ae-43341c428d22": { + "name": "SplatCloak", + "description": "[SplatCloak](https://attack.mitre.org/software/S1234) is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to aid in evading detection. [SplatCloak](https://attack.mitre.org/software/S1234) has been deployed by [SplatDropper](https://attack.mitre.org/software/S1232) and is known to be leveraged by [Mustang Panda](https://attack.mitre.org/groups/G0129) since 2025.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", + "examples": [], + "example_uses": [], + "similar_words": [ + "SplatCloak" + ], + "id": "S1234" + }, + "malware--fedd9fcd-1f9c-4be0-9d84-f31e88eb6664": { + "name": "XORIndex Loader", + "description": "[XORIndex Loader](https://attack.mitre.org/software/S1248) is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the [BeaverTail](https://attack.mitre.org/software/S1246) malware. [XORIndex Loader](https://attack.mitre.org/software/S1248) was first reported in June 2025. [XORIndex Loader](https://attack.mitre.org/software/S1248) has been leveraged by North Korea-affiliated threat actors identified as [Contagious Interview](https://attack.mitre.org/groups/G1052). [XORIndex Loader](https://attack.mitre.org/software/S1248) has been delivered to victims through code repository sites utilizing typo squatting naming conventions of various npm packages.(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)", + "examples": [], + "example_uses": [], + "similar_words": [ + "XORIndex Loader" + ], + "id": "S1248" } } \ No newline at end of file diff --git a/threadcomponents/service/data_svc.py b/threadcomponents/service/data_svc.py index 53cb48e3..490129a7 100644 --- a/threadcomponents/service/data_svc.py +++ b/threadcomponents/service/data_svc.py @@ -290,11 +290,14 @@ async def insert_category_json_data( buildfile = os.path.join(self.dir_prefix, buildfile) # prefix directory path if there is one # The current categories saved in the db cur_categories = await self.dao.get_column_as_list(table="categories", column="keyname") + # Load the JSON file with open(buildfile, "r") as infile: categories_dict = self.web_svc.categories_dict = json.load(infile) + # Dictionaries to hold the display names and parent-category names for categories parent_cat_names, display_names = {}, {} + # Loop through category list once to map all sub-categories to their parent categories for keyname, entry in categories_dict.items(): sub_categories = entry.get("sub_categories", []) @@ -304,15 +307,18 @@ async def insert_category_json_data( for sub_cat in sub_categories: if sub_cat not in cur_categories: parent_cat_names[sub_cat] = keyname + # Loop through a second time to construct the display name of categories for keyname, entry in categories_dict.items(): if keyname in cur_categories: continue + # While we have a parent category; traversed less-than 3 categories; and not repeated parent categories... parent_cat_name = parent_cat_names.get(keyname) parent_history = {keyname} display_name = entry["name"] count = 0 + while (parent_cat_name is not None) and (count < 3) and (parent_cat_name not in parent_history): count += 1 parent_history.add(parent_cat_name) @@ -322,15 +328,34 @@ async def insert_category_json_data( # ...make the parent category name prefix the current display name display_name = parent_cat_entry["name"] + " - " + display_name parent_cat_name = parent_cat_names.get(parent_cat_name) + display_names[keyname] = display_name + # Finally, insert the categories into the database for keyname, entry in categories_dict.items(): - if keyname in cur_categories: - continue + await self.insert_category_entry(keyname, entry, display_names.get(keyname), cur_categories) + + async def insert_category_entry(self, keyname, entry, display_name, current_categories): + """Function to insert a category entry into the database.""" + if keyname not in current_categories: await self.dao.insert_generate_uid( - "categories", dict(keyname=keyname, name=entry["name"], display_name=display_names[keyname]) + "categories", dict(keyname=keyname, name=entry["name"], display_name=display_name) ) + # Get currently-saved auto-add entries and see what needs updating + current_auto_add = await self.get_auto_selected_for_category(keyname) + auto_select = entry.get("auto_select", []) + to_add = set(auto_select) - set(current_auto_add) + to_delete = set(current_auto_add) - set(auto_select) + + for auto_selected_category in to_add: + await self.dao.insert_generate_uid( + "categories_auto_add", dict(selected=keyname, auto_add=auto_selected_category) + ) + + for rm_auto_selected_category in to_delete: + await self.dao.delete("categories_auto_add", dict(selected=keyname, auto_add=rm_auto_selected_category)) + async def insert_keyword_json_data(self, buildfile=os.path.join("spindle", "cta_names_mappings.json")): """Function to read in the keywords json file and insert data into the database.""" buildfile = os.path.join(self.dir_prefix, buildfile) # prefix directory path if there is one @@ -377,6 +402,22 @@ async def get_all_categories(self): query = "SELECT keyname, display_name FROM categories" return await self.dao.raw_select(query) + async def get_auto_selected_for_category(self, categories): + """Function to retrieve all the auto-selected categories for a given category or categories.""" + if not categories: + return [] + + query = f"SELECT auto_add FROM categories_auto_add WHERE selected = {self.dao.db_qparam}" + + if isinstance(categories, str): + categories = [categories] + + if len(categories) > 1: + suffix = " ".join([f"OR selected = {self.dao.db_qparam}" for _ in range(len(categories) - 1)]) + query = f"{query} {suffix}" + + return await self.dao.raw_select(query, parameters=tuple(categories), single_col=True) + async def get_report_category_keynames(self, report_id): """Function to retrieve the category keynames for a report given a report ID.""" query = f"SELECT category_keyname FROM report_categories WHERE report_uid = {self.dao.db_qparam}" diff --git a/webapp/html/report-aggs-vics.html b/webapp/html/report-aggs-vics.html index d8ade193..a25a99ec 100644 --- a/webapp/html/report-aggs-vics.html +++ b/webapp/html/report-aggs-vics.html @@ -23,7 +23,7 @@
{% if assoc_type == "aggressor" %} {% else %} {% for region_key in region_list %}