From c217bbe61a071e5b9049d7a57ba4b355bf100a3d Mon Sep 17 00:00:00 2001
From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com>
Date: Wed, 22 Nov 2023 22:23:22 +0100
Subject: [PATCH] add mitre-attack
fix errors when loading library without framework
---
core/helpers.py | 2 +-
library/helpers.py | 29 +-
library/libraries/mitre-attack.yaml | 5252 +++++++++++++++++++++++++++
library/views.py | 2 +-
4 files changed, 5269 insertions(+), 16 deletions(-)
create mode 100644 library/libraries/mitre-attack.yaml
diff --git a/core/helpers.py b/core/helpers.py
index b1594af2da..541f974798 100644
--- a/core/helpers.py
+++ b/core/helpers.py
@@ -230,4 +230,4 @@ def get_sorted_requirements_and_groups_rec(requirements: list, requirement_group
requirements,
requirement_groups,
requirements_assessed,
- [rg for rg in requirement_groups if not rg.parent_urn])
+ [rg for rg in requirement_groups if not rg.parent_urn] if requirement_groups else [])
diff --git a/library/helpers.py b/library/helpers.py
index dc2416ba66..c09d53eb90 100644
--- a/library/helpers.py
+++ b/library/helpers.py
@@ -8,23 +8,24 @@ def preview_library(library) -> list:
preview = {}
requirement_groups_list = []
requirements_list = []
- if library['objects']['framework'].get('requirement_groups'):
- for requirement_group in library['objects']['framework']['requirement_groups']:
+ framework = library['objects'].get('framework')
+ if framework:
+ for requirement_group in library['objects']['framework'].get('requirement_groups'):
requirement_groups_list.append(
RequirementGroup(description = requirement_group.get('description'),
name = requirement_group['name'],
urn = requirement_group['urn'],
parent_urn = requirement_group.get('parent_urn')))
- for requirement in library['objects']['framework']['requirements']:
- if Requirement.objects.filter(urn=requirement['urn']).exists():
- requirements_list.append(Requirement.objects.get(urn=requirement['urn']))
- else:
- temp_req = Requirement(description = requirement.get('description'),
- name = requirement['name'],
- urn = requirement['urn'],
- parent_urn = requirement.get('parent_urn'),
- folder = Folder.get_root_folder())
- requirements_list.append(temp_req)
- preview['requirement_groups'] = requirement_groups_list
- preview['requirements'] = requirements_list
+ for requirement in library['objects']['framework'].get('requirements'):
+ if Requirement.objects.filter(urn=requirement['urn']).exists():
+ requirements_list.append(Requirement.objects.get(urn=requirement['urn']))
+ else:
+ temp_req = Requirement(description = requirement.get('description'),
+ name = requirement['name'],
+ urn = requirement['urn'],
+ parent_urn = requirement.get('parent_urn'),
+ folder = Folder.get_root_folder())
+ requirements_list.append(temp_req)
+ preview['requirement_groups'] = requirement_groups_list
+ preview['requirements'] = requirements_list
return preview
diff --git a/library/libraries/mitre-attack.yaml b/library/libraries/mitre-attack.yaml
new file mode 100644
index 0000000000..40668774ea
--- /dev/null
+++ b/library/libraries/mitre-attack.yaml
@@ -0,0 +1,5252 @@
+urn: urn:intuitem:risk:library:mitre-attack-v14
+locale: en
+name: Mitre ATT&CK v14 - Threats and mitigations
+description: Mitre ATT&CK v14 - Threats and mitigations
+copyright: "Terms of Use\nLICENSE\nThe MITRE Corporation (MITRE) hereby grants you\
+ \ a non-exclusive, royalty-free license to use ATT&CK\xAE for research, development,\
+ \ and commercial purposes. Any copy you make for such purposes is authorized provided\
+ \ that you reproduce MITRE's copyright designation and this license in any such\
+ \ copy.\n\"\xA9 2022 The MITRE Corporation. This work is reproduced and distributed\
+ \ with the permission of The MITRE Corporation.\"\nDISCLAIMERS\nMITRE does not claim\
+ \ ATT&CK enumerates all possibilities for the types of actions and behaviors documented\
+ \ as part of its adversary model and framework of techniques. Using the information\
+ \ contained within ATT&CK to address or cover full categories of techniques will\
+ \ not guarantee full defensive coverage as there may be undisclosed techniques or\
+ \ variations on existing techniques not documented by ATT&CK.\nALL DOCUMENTS AND\
+ \ THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN \"AS IS\" BASIS AND THE CONTRIBUTOR,\
+ \ THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION,\
+ \ ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES,\
+ \ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF\
+ \ THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES\
+ \ OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
+version: 1
+objects:
+ security_functions:
+ - urn: urn:intuitem:risk:function:mitre-attack:M1031
+ name: M1031 - Network Intrusion Prevention
+ provider: MITRE ATT&CK
+ description: 'Use intrusion detection signatures to block traffic at network boundaries.
+
+ https://attack.mitre.org/mitigations/M1031
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1016
+ name: M1016 - Vulnerability Scanning
+ provider: MITRE ATT&CK
+ description: 'Vulnerability scanning is used to find potentially exploitable software
+ vulnerabilities to remediate them.
+
+ https://attack.mitre.org/mitigations/M1016
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1035
+ name: M1035 - Limit Access to Resource Over Network
+ provider: MITRE ATT&CK
+ description: 'Prevent access to file shares, remote access to systems, unnecessary
+ services. Mechanisms to limit access may include use of network concentrators,
+ RDP gateways, etc.
+
+ https://attack.mitre.org/mitigations/M1035
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1029
+ name: M1029 - Remote Data Storage
+ provider: MITRE ATT&CK
+ description: 'Use remote security log and sensitive file storage where access
+ can be controlled better to prevent exposure of intrusion detection log data
+ or sensitive information.
+
+ https://attack.mitre.org/mitigations/M1029
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1037
+ name: M1037 - Filter Network Traffic
+ provider: MITRE ATT&CK
+ description: 'Use network appliances to filter ingress or egress traffic and perform
+ protocol-based filtering. Configure software on endpoints to filter network
+ traffic.
+
+ https://attack.mitre.org/mitigations/M1037
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1021
+ name: M1021 - Restrict Web-Based Content
+ provider: MITRE ATT&CK
+ description: 'Restrict use of certain websites, block downloads/attachments, block
+ Javascript, restrict browser extensions, etc.
+
+ https://attack.mitre.org/mitigations/M1021
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1033
+ name: M1033 - Limit Software Installation
+ provider: MITRE ATT&CK
+ description: 'Block users or groups from installing unapproved software.
+
+ https://attack.mitre.org/mitigations/M1033
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1013
+ name: M1013 - Application Developer Guidance
+ provider: MITRE ATT&CK
+ description: 'This mitigation describes any guidance or training given to developers
+ of applications to avoid introducing security weaknesses that an adversary may
+ be able to take advantage of.
+
+ https://attack.mitre.org/mitigations/M1013
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1034
+ name: M1034 - Limit Hardware Installation
+ provider: MITRE ATT&CK
+ description: 'Block users or groups from installing or using unapproved hardware
+ on systems, including USB devices.
+
+ https://attack.mitre.org/mitigations/M1034
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1017
+ name: M1017 - User Training
+ provider: MITRE ATT&CK
+ description: 'Train users to be aware of access or manipulation attempts by an
+ adversary to reduce the risk of successful spearphishing, social engineering,
+ and other techniques that involve user interaction.
+
+ https://attack.mitre.org/mitigations/M1017
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1052
+ name: M1052 - User Account Control
+ provider: MITRE ATT&CK
+ description: 'Configure Windows User Account Control to mitigate risk of adversaries
+ obtaining elevated process access.
+
+ https://attack.mitre.org/mitigations/M1052
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1028
+ name: M1028 - Operating System Configuration
+ provider: MITRE ATT&CK
+ description: 'Make configuration changes related to the operating system or a
+ common feature of the operating system that result in system hardening against
+ techniques.
+
+ https://attack.mitre.org/mitigations/M1028
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1053
+ name: M1053 - Data Backup
+ provider: MITRE ATT&CK
+ description: 'Take and store data backups from end user systems and critical servers.
+ Ensure backup and storage systems are hardened and kept separate from the corporate
+ network to prevent compromise.
+
+ https://attack.mitre.org/mitigations/M1053
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1038
+ name: M1038 - Execution Prevention
+ provider: MITRE ATT&CK
+ description: 'Block execution of code on a system through application control,
+ and/or script blocking.
+
+ https://attack.mitre.org/mitigations/M1038
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1043
+ name: M1043 - Credential Access Protection
+ provider: MITRE ATT&CK
+ description: 'Use capabilities to prevent successful credential access by adversaries;
+ including blocking forms of credential dumping.
+
+ https://attack.mitre.org/mitigations/M1043
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1045
+ name: M1045 - Code Signing
+ provider: MITRE ATT&CK
+ description: 'Enforce binary and application integrity with digital signature
+ verification to prevent untrusted code from executing.
+
+ https://attack.mitre.org/mitigations/M1045
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1039
+ name: M1039 - Environment Variable Permissions
+ provider: MITRE ATT&CK
+ description: 'Prevent modification of environment variables by unauthorized users
+ and groups.
+
+ https://attack.mitre.org/mitigations/M1039
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1057
+ name: M1057 - Data Loss Prevention
+ provider: MITRE ATT&CK
+ description: 'Use a data loss prevention (DLP) strategy to categorize sensitive
+ data, identify data formats indicative of personal identifiable information
+ (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data
+ Loss Prevention)
+
+ https://attack.mitre.org/mitigations/M1057
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1025
+ name: M1025 - Privileged Process Integrity
+ provider: MITRE ATT&CK
+ description: 'Protect processes with high privileges that can be used to interact
+ with critical system components through use of protected process light, anti-process
+ injection defenses, or other process integrity enforcement measures.
+
+ https://attack.mitre.org/mitigations/M1025
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1055
+ name: M1055 - Do Not Mitigate
+ provider: MITRE ATT&CK
+ description: 'This category is to associate techniques that mitigation might increase
+ risk of compromise and therefore mitigation is not recommended.
+
+ https://attack.mitre.org/mitigations/M1055
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1056
+ name: M1056 - Pre-compromise
+ provider: MITRE ATT&CK
+ description: 'This category is used for any applicable mitigation activities that
+ apply to techniques occurring before an adversary gains Initial Access, such
+ as Reconnaissance and Resource Development techniques.
+
+ https://attack.mitre.org/mitigations/M1056
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1020
+ name: M1020 - SSL/TLS Inspection
+ provider: MITRE ATT&CK
+ description: 'Break and inspect SSL/TLS sessions to look at encrypted web traffic
+ for adversary activity.
+
+ https://attack.mitre.org/mitigations/M1020
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1046
+ name: M1046 - Boot Integrity
+ provider: MITRE ATT&CK
+ description: 'Use secure methods to boot a system and verify the integrity of
+ the operating system and loading mechanisms.
+
+ https://attack.mitre.org/mitigations/M1046
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1030
+ name: M1030 - Network Segmentation
+ provider: MITRE ATT&CK
+ description: 'Architect sections of the network to isolate critical systems, functions,
+ or resources. Use physical and logical segmentation to prevent access to potentially
+ sensitive systems and information. Use a DMZ to contain any internet-facing
+ services that should not be exposed from the internal network. Configure separate
+ virtual private cloud (VPC) instances to isolate critical cloud systems.
+
+ https://attack.mitre.org/mitigations/M1030
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1019
+ name: M1019 - Threat Intelligence Program
+ provider: MITRE ATT&CK
+ description: 'A threat intelligence program helps an organization generate their
+ own threat intelligence information and track trends to inform defensive priorities
+ to mitigate risk.
+
+ https://attack.mitre.org/mitigations/M1019
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1027
+ name: M1027 - Password Policies
+ provider: MITRE ATT&CK
+ description: 'Set and enforce secure password policies for accounts.
+
+ https://attack.mitre.org/mitigations/M1027
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1040
+ name: M1040 - Behavior Prevention on Endpoint
+ provider: MITRE ATT&CK
+ description: 'Use capabilities to prevent suspicious behavior patterns from occurring
+ on endpoint systems. This could include suspicious process, file, API call,
+ etc. behavior.
+
+ https://attack.mitre.org/mitigations/M1040
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1018
+ name: M1018 - User Account Management
+ provider: MITRE ATT&CK
+ description: 'Manage the creation, modification, use, and permissions associated
+ to user accounts.
+
+ https://attack.mitre.org/mitigations/M1018
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1022
+ name: M1022 - Restrict File and Directory Permissions
+ provider: MITRE ATT&CK
+ description: 'Restrict access by setting directory and file permissions that are
+ not specific to users or privileged accounts.
+
+ https://attack.mitre.org/mitigations/M1022
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1026
+ name: M1026 - Privileged Account Management
+ provider: MITRE ATT&CK
+ description: 'Manage the creation, modification, use, and permissions associated
+ to privileged accounts, including SYSTEM and root.
+
+ https://attack.mitre.org/mitigations/M1026
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1024
+ name: M1024 - Restrict Registry Permissions
+ provider: MITRE ATT&CK
+ description: 'Restrict the ability to modify certain hives or keys in the Windows
+ Registry.
+
+ https://attack.mitre.org/mitigations/M1024
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1049
+ name: M1049 - Antivirus/Antimalware
+ provider: MITRE ATT&CK
+ description: 'Use signatures or heuristics to detect malicious software.
+
+ https://attack.mitre.org/mitigations/M1049
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1032
+ name: M1032 - Multi-factor Authentication
+ provider: MITRE ATT&CK
+ description: 'Use two or more pieces of evidence to authenticate to a system;
+ such as username and password in addition to a token from a physical smart card
+ or token generator.
+
+ https://attack.mitre.org/mitigations/M1032
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1054
+ name: M1054 - Software Configuration
+ provider: MITRE ATT&CK
+ description: 'Implement configuration changes to software (other than the operating
+ system) to mitigate security risks associated to how the software operates.
+
+ https://attack.mitre.org/mitigations/M1054
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1048
+ name: M1048 - Application Isolation and Sandboxing
+ provider: MITRE ATT&CK
+ description: 'Restrict execution of code to a virtual environment on or in transit
+ to an endpoint system.
+
+ https://attack.mitre.org/mitigations/M1048
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1047
+ name: M1047 - Audit
+ provider: MITRE ATT&CK
+ description: 'Perform audits or scans of systems, permissions, insecure software,
+ insecure configurations, etc. to identify potential weaknesses.
+
+ https://attack.mitre.org/mitigations/M1047
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1050
+ name: M1050 - Exploit Protection
+ provider: MITRE ATT&CK
+ description: 'Use capabilities to detect and block conditions that may lead to
+ or be indicative of a software exploit occurring.
+
+ https://attack.mitre.org/mitigations/M1050
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1015
+ name: M1015 - Active Directory Configuration
+ provider: MITRE ATT&CK
+ description: 'Configure Active Directory to prevent use of certain techniques;
+ use SID Filtering, etc.
+
+ https://attack.mitre.org/mitigations/M1015
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1051
+ name: M1051 - Update Software
+ provider: MITRE ATT&CK
+ description: 'Perform regular software updates to mitigate exploitation risk.
+
+ https://attack.mitre.org/mitigations/M1051
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1044
+ name: M1044 - Restrict Library Loading
+ provider: MITRE ATT&CK
+ description: 'Prevent abuse of library loading mechanisms in the operating system
+ and software to load untrusted code by configuring appropriate library loading
+ mechanisms and investigating potential vulnerable software.
+
+ https://attack.mitre.org/mitigations/M1044
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1042
+ name: M1042 - Disable or Remove Feature or Program
+ provider: MITRE ATT&CK
+ description: 'Remove or deny access to unnecessary and potentially vulnerable
+ software to prevent abuse by adversaries.
+
+ https://attack.mitre.org/mitigations/M1042
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1036
+ name: M1036 - Account Use Policies
+ provider: MITRE ATT&CK
+ description: 'Configure features related to account use like login attempt lockouts,
+ specific login times, etc.
+
+ https://attack.mitre.org/mitigations/M1036
+
+ '
+ version: '1.0'
+ - urn: urn:intuitem:risk:function:mitre-attack:M1041
+ name: M1041 - Encrypt Sensitive Information
+ provider: MITRE ATT&CK
+ description: 'Protect sensitive information with strong encryption.
+
+ https://attack.mitre.org/mitigations/M1041
+
+ '
+ version: '1.0'
+ threats:
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1047
+ name: T1047 - Windows Management Instrumentation
+ provider: MITRE ATT&CK
+ description: 'Adversaries may abuse Windows Management Instrumentation (WMI) to
+ execute malicious commands and payloads. WMI is an administration feature that
+ provides a uniform environment to access Windows system components. The WMI
+ service enables both local and remote access, though the latter is facilitated
+ by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed
+ Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM)
+ and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006)
+ (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas
+ WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation:
+ MSDN WMI)(Citation: FireEye WMI 2015)
+
+
+ An adversary can use WMI to interact with local and remote systems and use it
+ as a means to execute various behaviors, such as gathering information for Discovery
+ as well as remote Execution of files as part of Lateral Movement. (Citation:
+ FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+
+ https://attack.mitre.org/techniques/T1047'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1113
+ name: T1113 - Screen Capture
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to take screen captures of the desktop to
+ gather information over the course of an operation. Screen capturing functionality
+ may be included as a feature of a remote access tool used in post-compromise
+ operations. Taking a screenshot is also typically possible through native utilities
+ or API calls, such as CopyFromScreen
, xwd
, or screencapture
.(Citation:
+ CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
+
+ https://attack.mitre.org/techniques/T1113'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1037
+ name: T1037 - Boot or Logon Initialization Scripts
+ provider: MITRE ATT&CK
+ description: "Adversaries may use scripts automatically executed at boot or logon\
+ \ initialization to establish persistence. Initialization scripts can be used\
+ \ to perform administrative functions, which may often execute other programs\
+ \ or send information to an internal logging server. These scripts can vary\
+ \ based on operating system and whether applied locally or remotely. \n\nAdversaries\
+ \ may use these scripts to maintain persistence on a single system. Depending\
+ \ on the access configuration of the logon scripts, either local credentials\
+ \ or an administrator account may be necessary. \n\nAn adversary may also be\
+ \ able to escalate their privileges since some boot or logon initialization\
+ \ scripts run with higher privileges.\nhttps://attack.mitre.org/techniques/T1037"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1557
+ name: T1557 - Adversary-in-the-Middle
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to position themselves between two or more
+ networked devices using an adversary-in-the-middle (AiTM) technique to support
+ follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+ [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+ or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)).
+ By abusing features of common networking protocols that can determine the flow
+ of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device
+ to communicate through an adversary controlled system so they can collect information
+ or perform additional actions.(Citation: Rapid7 MiTM Basics)
+
+
+ For example, adversaries may manipulate victim DNS settings to enable other
+ malicious activities such as preventing/redirecting users from accessing legitimate
+ sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation:
+ ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their
+ position in order to intercept user credentials and session cookies.(Citation:
+ volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s
+ can also be used to establish an AiTM position, such as by negotiating a less
+ secure, deprecated, or weaker version of communication protocol (SSL/TLS) or
+ encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation:
+ tlseminar_downgrade_att)
+
+
+ Adversaries may also leverage the AiTM position to attempt to monitor and/or
+ modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).
+ Adversaries can setup a position similar to AiTM to prevent traffic from flowing
+ to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562)
+ and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).
+
+ https://attack.mitre.org/techniques/T1557'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1033
+ name: T1033 - System Owner/User Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to identify the primary user, currently
+ logged in user, set of users that commonly uses a system, or whether a user
+ is actively using the system. They may do this, for example, by retrieving account
+ usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).
+ The information may be collected in a number of different ways using other Discovery
+ techniques, because user and username details are prevalent throughout a system
+ and include running process ownership, file/directory ownership, session information,
+ and system logs. Adversaries may use the information from [System Owner/User
+ Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery
+ to shape follow-on behaviors, including whether or not the adversary fully infects
+ the target and/or attempts specific actions.
+
+
+ Various utilities and commands may acquire this information, including whoami
.
+ In macOS and Linux, the currently logged in user can be identified with w
+ and who
. On macOS the dscl . list /Users | grep -v ''_''
+ command can also be used to enumerate user accounts. Environment variables,
+ such as %USERNAME%
and $USER
, may also be used to
+ access this information.
+
+
+ On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+ commands such as `show users` and `show ssh` can be used to display users currently
+ logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT
+ TA18-106A Network Infrastructure Devices 2018)
+
+ https://attack.mitre.org/techniques/T1033'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1583
+ name: T1583 - Acquire Infrastructure
+ provider: MITRE ATT&CK
+ description: 'Adversaries may buy, lease, or rent infrastructure that can be used
+ during targeting. A wide variety of infrastructure exists for hosting and orchestrating
+ adversary operations. Infrastructure solutions include physical or cloud servers,
+ domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally,
+ botnets are available for rent or purchase.
+
+
+ Use of these infrastructure solutions allows adversaries to stage, launch, and
+ execute operations. Solutions may help adversary operations blend in with traffic
+ that is seen as normal, such as contacting third-party web services or acquiring
+ infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090),
+ including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation:
+ FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022)
+ Depending on the implementation, adversaries may use infrastructure that makes
+ it difficult to physically tie back to them as well as utilize infrastructure
+ that can be rapidly provisioned, modified, and shut down.
+
+ https://attack.mitre.org/techniques/T1583'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1613
+ name: T1613 - Container and Resource Discovery
+ provider: MITRE ATT&CK
+ description: "Adversaries may attempt to discover containers and other resources\
+ \ that are available within a containers environment. Other resources may include\
+ \ images, deployments, pods, nodes, and other information such as the status\
+ \ of a cluster.\n\nThese resources can be viewed within web applications such\
+ \ as the Kubernetes dashboard or can be queried via the Docker and Kubernetes\
+ \ APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may\
+ \ leak information about the environment, such as the environment\u2019s configuration,\
+ \ which services are available, and what cloud provider the victim may be utilizing.\
+ \ The discovery of these resources may inform an adversary\u2019s next steps\
+ \ in the environment, such as how to perform lateral movement and which methods\
+ \ to utilize for execution.\nhttps://attack.mitre.org/techniques/T1613"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1592
+ name: T1592 - Gather Victim Host Information
+ provider: MITRE ATT&CK
+ description: 'Adversaries may gather information about the victim''s hosts that
+ can be used during targeting. Information about hosts may include a variety
+ of details, including administrative data (ex: name, assigned IP, functionality,
+ etc.) as well as specifics regarding its configuration (ex: operating system,
+ language, etc.).
+
+
+ Adversaries may gather this information in various ways, such as direct collection
+ actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or
+ [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries
+ may also compromise sites then include malicious content designed to collect
+ host information from visitors.(Citation: ATT ScanBox) Information about hosts
+ may also be exposed to adversaries via online or other accessible data sets
+ (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search
+ Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering
+ this information may reveal opportunities for other forms of reconnaissance
+ (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+ or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+ establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587)
+ or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or
+ initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195)
+ or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+ https://attack.mitre.org/techniques/T1592'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1003
+ name: T1003 - OS Credential Dumping
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to dump credentials to obtain account login
+ and credential material, normally in the form of a hash or a clear text password,
+ from the operating system and software. Credentials can then be used to perform
+ [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted
+ information.
+
+
+ Several of the tools mentioned in associated sub-techniques may be used by both
+ adversaries and professional security testers. Additional custom tools likely
+ exist as well.
+
+ https://attack.mitre.org/techniques/T1003'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1129
+ name: T1129 - Shared Modules
+ provider: MITRE ATT&CK
+ description: 'Adversaries may execute malicious payloads via loading shared modules.
+ Shared modules are executable files that are loaded into processes to provide
+ access to reusable code, such as specific custom functions or invoking OS API
+ functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
+
+
+ Adversaries may use this functionality as a way to execute arbitrary payloads
+ on a victim system. For example, adversaries can modularize functionality of
+ their malware into shared objects that perform various functions such as managing
+ C2 network communications or execution of specific actions on objective.
+
+
+ The Linux & macOS module loader can load and execute shared objects from arbitrary
+ local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen`
+ and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib`
+ files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation:
+ RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)
+
+
+ The Windows module loader can be instructed to load DLLs from arbitrary local
+ paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality
+ resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106)
+ which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft
+ DLL)
+
+ https://attack.mitre.org/techniques/T1129'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1602
+ name: T1602 - Data from Configuration Repository
+ provider: MITRE ATT&CK
+ description: 'Adversaries may collect data related to managed devices from configuration
+ repositories. Configuration repositories are used by management systems in order
+ to configure, manage, and control data on remote systems. Configuration repositories
+ may also facilitate remote access and administration of devices.
+
+
+ Adversaries may target these repositories in order to collect large quantities
+ of sensitive system administration data. Data from configuration repositories
+ may be exposed by various protocols and software and can store a wide variety
+ of data, much of which may align with adversary Discovery objectives.(Citation:
+ US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
+
+ https://attack.mitre.org/techniques/T1602'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1006
+ name: T1006 - Direct Volume Access
+ provider: MITRE ATT&CK
+ description: 'Adversaries may directly access a volume to bypass file access controls
+ and file system monitoring. Windows allows programs to have direct access to
+ logical volumes. Programs with direct access may read and write files directly
+ from the drive by analyzing file system data structures. This technique may
+ bypass Windows file access controls as well as file system monitoring tools.
+ (Citation: Hakobyan 2009)
+
+
+ Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation:
+ Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party
+ utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404))
+ to create shadow copies or backups of data from system volumes.(Citation: LOLBAS
+ Esentutl)
+
+ https://attack.mitre.org/techniques/T1006'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1014
+ name: T1014 - Rootkit
+ provider: MITRE ATT&CK
+ description: "Adversaries may use rootkits to hide the presence of programs, files,\
+ \ network connections, services, drivers, and other system components. Rootkits\
+ \ are programs that hide the existence of malware by intercepting/hooking and\
+ \ modifying operating system API calls that supply system information. (Citation:\
+ \ Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality\
+ \ may reside at the user or kernel level in the operating system or lower, to\
+ \ include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001).\
+ \ (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux,\
+ \ and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat\
+ \ Mac OSX Rootkit)\nhttps://attack.mitre.org/techniques/T1014"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1123
+ name: T1123 - Audio Capture
+ provider: MITRE ATT&CK
+ description: 'An adversary can leverage a computer''s peripheral devices (e.g.,
+ microphones and webcams) or applications (e.g., voice and video call services)
+ to capture audio recordings for the purpose of listening into sensitive conversations
+ to gather information.
+
+
+ Malware or scripts may be used to interact with the devices through an available
+ API provided by the operating system or an application to capture audio. Audio
+ files may be written to disk and exfiltrated later.
+
+ https://attack.mitre.org/techniques/T1123'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1543
+ name: T1543 - Create or Modify System Process
+ provider: MITRE ATT&CK
+ description: "Adversaries may create or modify system-level processes to repeatedly\
+ \ execute malicious payloads as part of persistence. When operating systems\
+ \ boot up, they can start processes that perform background system functions.\
+ \ On Windows and Linux, these system processes are referred to as services.(Citation:\
+ \ TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)\
+ \ and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run\
+ \ to finish system initialization and load user specific parameters.(Citation:\
+ \ AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services,\
+ \ daemons, or agents that can be configured to execute at startup or a repeatable\
+ \ interval in order to establish persistence. Similarly, adversaries may modify\
+ \ existing services, daemons, or agents to achieve the same effect. \n\nServices,\
+ \ daemons, or agents may be created with administrator privileges but executed\
+ \ under root/SYSTEM privileges. Adversaries may leverage this functionality\
+ \ to create or modify system processes in order to escalate privileges.(Citation:\
+ \ OSX Malware Detection)\nhttps://attack.mitre.org/techniques/T1543"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1133
+ name: T1133 - External Remote Services
+ provider: MITRE ATT&CK
+ description: "Adversaries may leverage external-facing remote services to initially\
+ \ access and/or persist within a network. Remote services such as VPNs, Citrix,\
+ \ and other access mechanisms allow users to connect to internal enterprise\
+ \ network resources from external locations. There are often remote service\
+ \ gateways that manage connections and credential authentication for these services.\
+ \ Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006)\
+ \ and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used\
+ \ externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to\
+ \ [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service\
+ \ is often a requirement, which could be obtained through credential pharming\
+ \ or by obtaining the credentials from users after compromising the enterprise\
+ \ network.(Citation: Volexity Virtual Private Keylogging) Access to remote services\
+ \ may be used as a redundant or persistent access mechanism during an operation.\n\
+ \nAccess may also be gained through an exposed service that doesn\u2019t require\
+ \ authentication. In containerized environments, this may include an exposed\
+ \ Docker API, Kubernetes API server, kubelet, or web application such as the\
+ \ Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation:\
+ \ Unit 42 Hildegard Malware)\nhttps://attack.mitre.org/techniques/T1133"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1539
+ name: T1539 - Steal Web Session Cookie
+ provider: MITRE ATT&CK
+ description: 'An adversary may steal web application or service session cookies
+ and use them to gain access to web applications or Internet services as an authenticated
+ user without needing credentials. Web applications and services often use session
+ cookies as an authentication token after a user has authenticated to a website.
+
+
+ Cookies are often valid for an extended period of time, even if the web application
+ is not actively used. Cookies can be found on disk, in the process memory of
+ the browser, and in network traffic to remote systems. Additionally, other applications
+ on the targets machine might store sensitive authentication cookies in memory
+ (e.g. apps which authenticate to cloud services). Session cookies can be used
+ to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)
+
+
+ There are several examples of malware targeting cookies from web browsers on
+ the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42
+ Mac Crypto Cookies January 2019) There are also open source frameworks such
+ as `Evilginx2` and `Muraena` that can gather session cookies through a malicious
+ proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557))
+ that can be set up by an adversary and used in phishing campaigns.(Citation:
+ Github evilginx2)(Citation: GitHub Mauraena)
+
+
+ After an adversary acquires a valid cookie, they can then perform a [Web Session
+ Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to
+ the corresponding web application.
+
+ https://attack.mitre.org/techniques/T1539'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1578
+ name: T1578 - Modify Cloud Compute Infrastructure
+ provider: MITRE ATT&CK
+ description: 'An adversary may attempt to modify a cloud account''s compute service
+ infrastructure to evade defenses. A modification to the compute service infrastructure
+ can include the creation, deletion, or modification of one or more components
+ such as compute instances, virtual machines, and snapshots.
+
+
+ Permissions gained from the modification of infrastructure components may bypass
+ restrictions that prevent access to existing infrastructure. Modifying infrastructure
+ components may also allow an adversary to evade detection and remove evidence
+ of their presence.(Citation: Mandiant M-Trends 2020)
+
+ https://attack.mitre.org/techniques/T1578'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1069
+ name: T1069 - Permission Groups Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to discover group and permission settings.
+ This information can help adversaries determine which user accounts and groups
+ are available, the membership of users in particular groups, and which users
+ and groups have elevated permissions.
+
+
+ Adversaries may attempt to discover group permission settings in many different
+ ways. This data may provide the adversary with information about the compromised
+ environment that can be used in follow-on activity and targeting.(Citation:
+ CrowdStrike BloodHound April 2018)
+
+ https://attack.mitre.org/techniques/T1069'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1114
+ name: T1114 - Email Collection
+ provider: MITRE ATT&CK
+ description: 'Adversaries may target user email to collect sensitive information.
+ Emails may contain sensitive data, including trade secrets or personal information,
+ that can prove valuable to adversaries. Adversaries can collect or forward email
+ from mail servers or clients.
+
+ https://attack.mitre.org/techniques/T1114'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1594
+ name: T1594 - Search Victim-Owned Websites
+ provider: MITRE ATT&CK
+ description: 'Adversaries may search websites owned by the victim for information
+ that can be used during targeting. Victim-owned websites may contain a variety
+ of details, including names of departments/divisions, physical locations, and
+ data about key employees such as names, roles, and contact info (ex: [Email
+ Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+ also have details highlighting business operations and relationships.(Citation:
+ Comparitech Leak)
+
+
+ Adversaries may search victim-owned websites to gather actionable information.
+ Information from these sources may reveal opportunities for other forms of reconnaissance
+ (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or
+ [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+ establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+ or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+ initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+ or [Phishing](https://attack.mitre.org/techniques/T1566)).
+
+ https://attack.mitre.org/techniques/T1594'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1561
+ name: T1561 - Disk Wipe
+ provider: MITRE ATT&CK
+ description: 'Adversaries may wipe or corrupt raw disk data on specific systems
+ or in large numbers in a network to interrupt availability to system and network
+ resources. With direct write access to a disk, adversaries may attempt to overwrite
+ portions of disk data. Adversaries may opt to wipe arbitrary portions of disk
+ data and/or wipe disk structures like the master boot record (MBR). A complete
+ wipe of all disk sectors may be attempted.
+
+
+ To maximize impact on the target organization in operations where network-wide
+ availability interruption is the goal, malware used for wiping disks may have
+ worm-like features to propagate across a network by leveraging additional techniques
+ like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential
+ Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin
+ Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster
+ Destructive Malware)
+
+
+ On network devices, adversaries may wipe configuration files and other data
+ from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+ commands such as `erase`.(Citation: erase_cmd_cisco)
+
+ https://attack.mitre.org/techniques/T1561'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1615
+ name: T1615 - Group Policy Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may gather information on Group Policy settings to identify
+ paths for privilege escalation, security measures applied within a domain, and
+ to discover patterns in domain objects that can be manipulated or used to blend
+ in the environment. Group Policy allows for centralized management of user and
+ computer settings in Active Directory (AD). Group policy objects (GPOs) are
+ containers for group policy settings made up of files stored within a predictable
+ network path `\\SYSVOL\\Policies\`.(Citation: TechNet Group
+ Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
+
+
+ Adversaries may use commands such as gpresult
or various publicly
+ available PowerShell functions, such as Get-DomainGPO
and Get-DomainGPOLocalGroup
,
+ to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation:
+ Github PowerShell Empire) Adversaries may use this information to shape follow-on
+ behaviors, including determining potential attack paths within the target network
+ as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy
+ Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
+
+ https://attack.mitre.org/techniques/T1615'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1025
+ name: T1025 - Data from Removable Media
+ provider: MITRE ATT&CK
+ description: "Adversaries may search connected removable media on computers they\
+ \ have compromised to find files of interest. Sensitive data can be collected\
+ \ from any removable media (optical disk drive, USB memory, etc.) connected\
+ \ to the compromised system prior to Exfiltration. Interactive command shells\
+ \ may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106)\
+ \ may be used to gather information. \n\nSome adversaries may also use [Automated\
+ \ Collection](https://attack.mitre.org/techniques/T1119) on removable media.\n\
+ https://attack.mitre.org/techniques/T1025"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1547
+ name: T1547 - Boot or Logon Autostart Execution
+ provider: MITRE ATT&CK
+ description: 'Adversaries may configure system settings to automatically execute
+ a program during system boot or logon to maintain persistence or gain higher-level
+ privileges on compromised systems. Operating systems may have mechanisms for
+ automatically running a program on system boot or account logon.(Citation: Microsoft
+ Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation:
+ Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These
+ mechanisms may include automatically executing programs that are placed in specially
+ designated directories or are referenced by repositories that store configuration
+ information, such as the Windows Registry. An adversary may achieve the same
+ goal by modifying or extending features of the kernel.
+
+
+ Since some boot or logon autostart programs run with higher privileges, an adversary
+ may leverage these to elevate privileges.
+
+ https://attack.mitre.org/techniques/T1547'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1600
+ name: T1600 - Weaken Encryption
+ provider: MITRE ATT&CK
+ description: "Adversaries may compromise a network device\u2019s encryption capability\
+ \ in order to bypass encryption that would otherwise protect data communications.\
+ \ (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect\
+ \ transmitted network traffic to maintain its confidentiality (protect against\
+ \ unauthorized disclosure) and integrity (protect against unauthorized changes).\
+ \ Encryption ciphers are used to convert a plaintext message to ciphertext and\
+ \ can be computationally intensive to decipher without the associated decryption\
+ \ key. Typically, longer keys increase the cost of cryptanalysis, or decryption\
+ \ without the key.\n\nAdversaries can compromise and manipulate devices that\
+ \ perform encryption of network traffic. For example, through behaviors such\
+ \ as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce\
+ \ Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto\
+ \ Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can\
+ \ negatively effect and/or eliminate a device\u2019s ability to securely encrypt\
+ \ network traffic. This poses a greater risk of unauthorized disclosure and\
+ \ may help facilitate data manipulation, Credential Access, or Collection efforts.\
+ \ (Citation: Cisco Blog Legacy Device Attacks)\nhttps://attack.mitre.org/techniques/T1600"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1489
+ name: T1489 - Service Stop
+ provider: MITRE ATT&CK
+ description: "Adversaries may stop or disable services on a system to render those\
+ \ services unavailable to legitimate users. Stopping critical services or processes\
+ \ can inhibit or stop response to an incident or aid in the adversary's overall\
+ \ objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer\
+ \ 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by\
+ \ disabling individual services of high importance to an organization, such\
+ \ as MSExchangeIS
, which will make Exchange content inaccessible\
+ \ (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable\
+ \ many or all services to render systems unusable.(Citation: Talos Olympic Destroyer\
+ \ 2018) Services or processes may not allow for modification of their data stores\
+ \ while running. Adversaries may stop services or processes in order to conduct\
+ \ [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted\
+ \ for Impact](https://attack.mitre.org/techniques/T1486) on the data stores\
+ \ of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)\n\
+ https://attack.mitre.org/techniques/T1489"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1652
+ name: T1652 - Device Driver Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to enumerate local device drivers on a victim
+ host. Information about device drivers may highlight various insights that shape
+ follow-on behaviors, such as the function/purpose of the host, present security
+ tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001))
+ or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)),
+ as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege
+ Escalation](https://attack.mitre.org/techniques/T1068)).
+
+
+ Many OS utilities may provide information about local device drivers, such as
+ `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.(Citation:
+ Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about
+ device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007))
+ may also be available in the Registry.(Citation: Microsoft Registry Drivers)
+
+
+ On Linux/macOS, device drivers (in the form of kernel modules) may be visible
+ within `/dev` or using utilities such as `lsmod` and `modinfo`.(Citation: Linux
+ Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)
+
+ https://attack.mitre.org/techniques/T1652'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1564
+ name: T1564 - Hide Artifacts
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to hide artifacts associated with their
+ behaviors to evade detection. Operating systems may have features to hide various
+ artifacts, such as important system files and administrative task execution,
+ to avoid disrupting user work environments and prevent users from changing files
+ or features on the system. Adversaries may abuse these features to hide artifacts
+ such as files, directories, user accounts, or other system activity to evade
+ detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation:
+ MalwareBytes ADS July 2015)
+
+
+ Adversaries may also attempt to hide artifacts associated with malicious behavior
+ by creating computing regions that are isolated from common security instrumentation,
+ such as through the use of virtualization technology.(Citation: Sophos Ragnar
+ May 2020)
+
+ https://attack.mitre.org/techniques/T1564'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1080
+ name: T1080 - Taint Shared Content
+ provider: MITRE ATT&CK
+ description: 'Adversaries may deliver payloads to remote systems by adding content
+ to shared storage locations, such as network drives or internal code repositories.
+ Content stored on network drives or in other shared locations may be tainted
+ by adding malicious programs, scripts, or exploit code to otherwise valid files.
+ Once a user opens the shared tainted content, the malicious portion can be executed
+ to run the adversary''s code on a remote system. Adversaries may use tainted
+ shared content to move laterally.
+
+
+ A directory share pivot is a variation on this technique that uses several other
+ techniques to propagate malware when users access a shared network directory.
+ It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009)
+ of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036)
+ to look like the real directories, which are hidden through [Hidden Files and
+ Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based
+ directories have an embedded command that executes the hidden malware file in
+ the directory and then opens the real intended directory so that the user''s
+ expected action still occurs. When used with frequently used network directories,
+ the technique may result in frequent reinfections and broad access to systems
+ and potentially to new and higher privileged accounts. (Citation: Retwin Directory
+ Share Pivot)
+
+
+ Adversaries may also compromise shared network directories through binary infections
+ by appending or prepending its code to the healthy binary on the shared network
+ directory. The malware may modify the original entry point (OEP) of the healthy
+ binary to ensure that it is executed before the legitimate code. The infection
+ could continue to spread via the newly infected file when it is executed by
+ a remote system. These infections may target both binary and non-binary formats
+ that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT,
+ and/or .VBS.
+
+ https://attack.mitre.org/techniques/T1080'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1137
+ name: T1137 - Office Application Startup
+ provider: MITRE ATT&CK
+ description: 'Adversaries may leverage Microsoft Office-based applications for
+ persistence between startups. Microsoft Office is a fairly common application
+ suite on Windows-based operating systems within an enterprise network. There
+ are multiple mechanisms that can be used with Office for persistence when an
+ Office-based application is started; this can include the use of Office Template
+ Macros and add-ins.
+
+
+ A variety of features have been discovered in Outlook that can be abused to
+ obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost
+ Ruler GitHub) These persistence mechanisms can work within Outlook or be used
+ through Office 365.(Citation: TechNet O365 Outlook Rules)
+
+ https://attack.mitre.org/techniques/T1137'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1119
+ name: T1119 - Automated Collection
+ provider: MITRE ATT&CK
+ description: "Once established within a system or network, an adversary may use\
+ \ automated techniques for collecting internal data. Methods for performing\
+ \ this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)\
+ \ to search for and copy information fitting set criteria such as file type,\
+ \ location, or name at specific time intervals. In cloud-based environments,\
+ \ adversaries may also use cloud APIs, command line interfaces, or extract,\
+ \ transform, and load (ETL) services to automatically collect data. This functionality\
+ \ could also be built into remote access tools. \n\nThis technique may incorporate\
+ \ use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)\
+ \ and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to\
+ \ identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538)\
+ \ and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619)\
+ \ to identify resources in cloud environments.\nhttps://attack.mitre.org/techniques/T1119"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1115
+ name: T1115 - Clipboard Data
+ provider: MITRE ATT&CK
+ description: "Adversaries may collect data stored in the clipboard from users\
+ \ copying information within or between applications. \n\nFor example, on Windows\
+ \ adversaries can access clipboard data by using clip.exe
or Get-Clipboard
.(Citation:\
+ \ MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally,\
+ \ adversaries may monitor then replace users\u2019 clipboard with their data\
+ \ (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation:\
+ \ mining_ruby_reversinglabs)\n\nmacOS and Linux also have commands, such as\
+ \ pbpaste
, to grab clipboard contents.(Citation: Operating with\
+ \ EmPyre)\nhttps://attack.mitre.org/techniques/T1115"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1007
+ name: T1007 - System Service Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may try to gather information about registered local
+ system services. Adversaries may obtain information about services using tools
+ as well as OS utility commands such as sc query
, tasklist
+ /svc
, systemctl --type=service
, and net start
.
+
+
+ Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007)
+ during automated discovery to shape follow-on behaviors, including whether or
+ not the adversary fully infects the target and/or attempts specific actions.
+
+ https://attack.mitre.org/techniques/T1007'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1040
+ name: T1040 - Network Sniffing
+ provider: MITRE ATT&CK
+ description: 'Adversaries may sniff network traffic to capture information about
+ an environment, including authentication material passed over the network. Network
+ sniffing refers to using the network interface on a system to monitor or capture
+ information sent over a wired or wireless connection. An adversary may place
+ a network interface into promiscuous mode to passively access data in transit
+ over the network, or use span ports to capture a larger amount of data.
+
+
+ Data captured via this technique may include user credentials, especially those
+ sent over an insecure, unencrypted protocol. Techniques for name service resolution
+ poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001),
+ can also be used to capture credentials to websites, proxies, and internal systems
+ by redirecting traffic to an adversary.
+
+
+ Network sniffing may also reveal configuration details, such as running services,
+ version numbers, and other network characteristics (e.g. IP addresses, hostnames,
+ VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+
+
+ In cloud-based environments, adversaries may still be able to use traffic mirroring
+ services to sniff network traffic from virtual machines. For example, AWS Traffic
+ Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified
+ instances to collect traffic from and specified targets to send collected traffic
+ to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation:
+ Azure Virtual Network TAP) Often, much of this traffic will be in cleartext
+ due to the use of TLS termination at the load balancer level to reduce the strain
+ of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC
+ Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary
+ can then use exfiltration techniques such as Transfer Data to Cloud Account
+ in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC
+ Traffic Mirroring)
+
+
+ On network devices, adversaries may perform network captures using [Network
+ Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as
+ `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)
+
+ https://attack.mitre.org/techniques/T1040'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1530
+ name: T1530 - Data from Cloud Storage
+ provider: MITRE ATT&CK
+ description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers\
+ \ offer solutions for online data object storage such as Amazon S3, Azure Storage,\
+ \ and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office\
+ \ 365 and Google Workspace provide cloud-based document storage to users through\
+ \ services such as OneDrive and Google Drive, while SaaS application providers\
+ \ such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage\
+ \ solutions as a peripheral or primary use case of their platform. \n\nIn some\
+ \ cases, as with IaaS-based cloud storage, there exists no overarching application\
+ \ (such as SQL or Elasticsearch) with which to interact with the stored objects:\
+ \ instead, data from these solutions is retrieved directly though the [Cloud\
+ \ API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications,\
+ \ adversaries may be able to collect this data directly from APIs or backend\
+ \ cloud storage objects, rather than through their front-end application or\
+ \ interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)).\
+ \ \n\nAdversaries may collect sensitive data from these cloud storage solutions.\
+ \ Providers typically offer security guides to help end users configure systems,\
+ \ though misconfigurations are a common problem.(Citation: Amazon S3 Security,\
+ \ 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud\
+ \ Storage Best Practices, 2019) There have been numerous incidents where cloud\
+ \ storage has been improperly secured, typically by unintentionally allowing\
+ \ public access to unauthenticated users, overly-broad access by all users,\
+ \ or even access for any anonymous person outside the control of the Identity\
+ \ Access Management system without even needing basic user permissions.\n\n\
+ This open access may expose various types of sensitive data, such as credit\
+ \ cards, personally identifiable information, or medical records.(Citation:\
+ \ Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation:\
+ \ HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\n\n\
+ Adversaries may also obtain then abuse leaked credentials from source repositories,\
+ \ logs, or other means as a way to gain access to cloud storage objects.\nhttps://attack.mitre.org/techniques/T1530"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1135
+ name: T1135 - Network Share Discovery
+ provider: MITRE ATT&CK
+ description: "Adversaries may look for folders and drives shared on remote systems\
+ \ as a means of identifying sources of information to gather as a precursor\
+ \ for Collection and to identify potential systems of interest for Lateral Movement.\
+ \ Networks often contain shared network drives and folders that enable users\
+ \ to access file directories on various systems across a network. \n\nFile sharing\
+ \ over a Windows network occurs over the SMB protocol. (Citation: Wikipedia\
+ \ Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039)\
+ \ can be used to query a remote system for available shared drives using the\
+ \ net view \\\\\\\\remotesystem
command. It can also be used to\
+ \ query shared drives on the local system using net share
. For\
+ \ macOS, the sharing -l
command lists all shared points used for\
+ \ smb services.\nhttps://attack.mitre.org/techniques/T1135"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1120
+ name: T1120 - Peripheral Device Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to gather information about attached peripheral
+ devices and components connected to a computer system.(Citation: Peripheral
+ Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could
+ include auxiliary resources that support a variety of functionalities such as
+ keyboards, printers, cameras, smart card readers, or removable storage. The
+ information may be used to enhance their awareness of the system and network
+ environment or may be used for further actions.
+
+ https://attack.mitre.org/techniques/T1120'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1082
+ name: T1082 - System Information Discovery
+ provider: MITRE ATT&CK
+ description: 'An adversary may attempt to get detailed information about the operating
+ system and hardware, including version, patches, hotfixes, service packs, and
+ architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082)
+ during automated discovery to shape follow-on behaviors, including whether or
+ not the adversary fully infects the target and/or attempts specific actions.
+
+
+ Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used
+ to gather detailed system information. If running with privileged access, a
+ breakdown of system data can be gathered through the systemsetup
+ configuration tool on macOS. As an example, adversaries with user-level access
+ can execute the df -aH
command to obtain currently mounted disks
+ and associated freely available space. Adversaries may also leverage a [Network
+ Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices
+ to gather detailed system information (e.g. show version
).(Citation:
+ US-CERT-TA18-106A) [System Information Discovery](https://attack.mitre.org/techniques/T1082)
+ combined with information gathered from other forms of discovery and reconnaissance
+ can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation:
+ 20 macOS Common Tools and Techniques)
+
+
+ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure
+ allow access to instance and virtual machine information via APIs. Successful
+ authenticated API calls can return data such as the operating system platform
+ and status of a particular instance or the model view of a virtual machine.(Citation:
+ Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft
+ Virutal Machine API)
+
+ https://attack.mitre.org/techniques/T1082'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1071
+ name: T1071 - Application Layer Protocol
+ provider: MITRE ATT&CK
+ description: "Adversaries may communicate using OSI application layer protocols\
+ \ to avoid detection/network filtering by blending in with existing traffic.\
+ \ Commands to the remote system, and often the results of those commands, will\
+ \ be embedded within the protocol traffic between the client and server. \n\n\
+ Adversaries may utilize many different protocols, including those used for web\
+ \ browsing, transferring files, electronic mail, or DNS. For connections that\
+ \ occur internally within an enclave (such as those between a proxy or pivot\
+ \ node and other nodes), commonly used protocols are SMB, SSH, or RDP.\nhttps://attack.mitre.org/techniques/T1071"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1053
+ name: T1053 - Scheduled Task/Job
+ provider: MITRE ATT&CK
+ description: 'Adversaries may abuse task scheduling functionality to facilitate
+ initial or recurring execution of malicious code. Utilities exist within all
+ major operating systems to schedule programs or scripts to be executed at a
+ specified date and time. A task can also be scheduled on a remote system, provided
+ the proper authentication is met (ex: RPC and file and printer sharing in Windows
+ environments). Scheduling a task on a remote system typically may require being
+ a member of an admin or otherwise privileged group on the remote system.(Citation:
+ TechNet Task Scheduler Security)
+
+
+ Adversaries may use task scheduling to execute programs at system startup or
+ on a scheduled basis for persistence. These mechanisms can also be abused to
+ run a process under the context of a specified account (such as one with elevated
+ permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+ adversaries have also abused task scheduling to potentially mask one-time execution
+ under a trusted system process.(Citation: ProofPoint Serpent)
+
+ https://attack.mitre.org/techniques/T1053'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1176
+ name: T1176 - Browser Extensions
+ provider: MITRE ATT&CK
+ description: 'Adversaries may abuse Internet browser extensions to establish persistent
+ access to victim systems. Browser extensions or plugins are small programs that
+ can add functionality and customize aspects of Internet browsers. They can be
+ installed directly or through a browser''s app store and generally have access
+ and permissions to everything that the browser can access.(Citation: Wikipedia
+ Browser Extension)(Citation: Chrome Extensions Definition)
+
+
+ Malicious extensions can be installed into a browser through malicious app store
+ downloads masquerading as legitimate extensions, through social engineering,
+ or by an adversary that has already compromised a system. Security can be limited
+ on browser app stores so it may not be difficult for malicious extensions to
+ defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending
+ on the browser, adversaries may also manipulate an extension''s update url to
+ install updates from an adversary controlled server or manipulate the mobile
+ configuration file to silently install additional extensions.
+
+
+ Previous to macOS 11, adversaries could silently install browser extensions
+ via the command line using the profiles
tool to install malicious
+ .mobileconfig
files. In macOS 11+, the use of the profiles
+ tool can no longer install configuration profiles, however .mobileconfig
+ files can be planted and installed with user interaction.(Citation: xorrior
+ chrome extensions macOS)
+
+
+ Once the extension is installed, it can browse to websites in the background,
+ steal all information that a user enters into a browser (including credentials),
+ and be used as an installer for a RAT for persistence.(Citation: Chrome Extension
+ Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome
+ Extension Steals Creds)(Citation: Catch All Chrome Extension)
+
+
+ There have also been instances of botnets using a persistent backdoor through
+ malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been
+ similar examples of extensions being used for command & control.(Citation: Chrome
+ Extension C2 Malware)
+
+ https://attack.mitre.org/techniques/T1176'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1106
+ name: T1106 - Native API
+ provider: MITRE ATT&CK
+ description: 'Adversaries may interact with the native OS application programming
+ interface (API) to execute behaviors. Native APIs provide a controlled means
+ of calling low-level OS services within the kernel, such as those involving
+ hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation:
+ Linux Kernel API) These native APIs are leveraged by the OS during system boot
+ (when other system components are not yet initialized) as well as carrying out
+ tasks and requests during routine operations.
+
+
+ Adversaries may abuse these OS API functions as a means of executing behaviors.
+ Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
+ the native API and its hierarchy of interfaces provide mechanisms to interact
+ with and utilize various components of a victimized system.
+
+
+ Native API functions (such as NtCreateProcess
) may be directed
+ invoked via system calls / syscalls, but these features are also often exposed
+ to user-mode applications via interfaces and libraries.(Citation: OutFlank System
+ Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example,
+ functions such as the Windows API CreateProcess()
or GNU fork()
+ will allow programs and scripts to start other processes.(Citation: Microsoft
+ CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary,
+ run a CLI command, load modules, etc. as thousands of similar API functions
+ exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation:
+ GLIBC)
+
+
+ Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are
+ also available to interact with native APIs. These frameworks typically provide
+ language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability
+ of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS
+ Cocoa)(Citation: macOS Foundation)
+
+
+ Adversaries may use assembly to directly or in-directly invoke syscalls in an
+ attempt to subvert defensive sensors and detection signatures such as user mode
+ API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper
+ with sensors and defensive tools associated with API monitoring, such as unhooking
+ monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).
+
+ https://attack.mitre.org/techniques/T1106'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1202
+ name: T1202 - Indirect Command Execution
+ provider: MITRE ATT&CK
+ description: 'Adversaries may abuse utilities that allow for command execution
+ to bypass security restrictions that limit the use of command-line interpreters.
+ Various Windows utilities may be used to execute commands, possibly without
+ invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193),
+ the Program Compatibility Assistant (pcalua.exe), components of the Windows
+ Subsystem for Linux (WSL), as well as other utilities may invoke the execution
+ of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
+ Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation:
+ Evi1cg Forfiles Nov 2017)
+
+
+ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005),
+ specifically to perform arbitrary execution while subverting detections and/or
+ mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106)
+ or file extensions more commonly associated with malicious payloads.
+
+ https://attack.mitre.org/techniques/T1202'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1091
+ name: T1091 - Replication Through Removable Media
+ provider: MITRE ATT&CK
+ description: 'Adversaries may move onto systems, possibly those on disconnected
+ or air-gapped networks, by copying malware to removable media and taking advantage
+ of Autorun features when the media is inserted into a system and executes. In
+ the case of Lateral Movement, this may occur through modification of executable
+ files stored on removable media or by copying malware and renaming it to look
+ like a legitimate file to trick users into executing it on a separate system.
+ In the case of Initial Access, this may occur through manual manipulation of
+ the media, modification of systems used to initially format the media, or modification
+ to the media''s firmware itself.
+
+
+ Mobile devices may also be used to infect PCs with malware if connected via
+ USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using
+ devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation:
+ Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For
+ example, when a smartphone is connected to a system, it may appear to be mounted
+ similar to a USB-connected disk drive. If malware that is compatible with the
+ connected system is on the mobile device, the malware could infect the machine
+ (especially if Autorun features are enabled).
+
+ https://attack.mitre.org/techniques/T1091'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1005
+ name: T1005 - Data from Local System
+ provider: MITRE ATT&CK
+ description: 'Adversaries may search local system sources, such as file systems
+ and configuration files or local databases, to find files of interest and sensitive
+ data prior to Exfiltration.
+
+
+ Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
+ such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network
+ Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality
+ to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco)
+ Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119)
+ on the local system.
+
+ https://attack.mitre.org/techniques/T1005'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1140
+ name: T1140 - Deobfuscate/Decode Files or Information
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
+ to hide artifacts of an intrusion from analysis. They may require separate mechanisms
+ to decode or deobfuscate that information depending on how they intend to use
+ it. Methods for doing that include built-in functionality of malware or by using
+ utilities present on the system.
+
+
+ One such example is the use of [certutil](https://attack.mitre.org/software/S0160)
+ to decode a remote access tool portable executable file that has been hidden
+ inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi
+ Arabia) Another example is using the Windows copy /b
command to
+ reassemble binary fragments into a malicious payload.(Citation: Carbon Black
+ Obfuscation Sept 2016)
+
+
+ Sometimes a user''s action may be required to open it for deobfuscation or decryption
+ as part of [User Execution](https://attack.mitre.org/techniques/T1204). The
+ user may also be required to input a password to open a password protected compressed/encrypted
+ file that was provided by the adversary. (Citation: Volexity PowerDuke November
+ 2016)
+
+ https://attack.mitre.org/techniques/T1140'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1562
+ name: T1562 - Impair Defenses
+ provider: MITRE ATT&CK
+ description: 'Adversaries may maliciously modify components of a victim environment
+ in order to hinder or disable defensive mechanisms. This not only involves impairing
+ preventative defenses, such as firewalls and anti-virus, but also detection
+ capabilities that defenders can use to audit activity and identify malicious
+ behavior. This may also span both native defenses as well as supplemental capabilities
+ installed by users and administrators.
+
+
+ Adversaries may also impair routine operations that contribute to defensive
+ hygiene, such as blocking users from logging out of a computer or stopping it
+ from being shut down. These restrictions can further enable malicious operations
+ as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+
+
+ Adversaries could also target event aggregation and analysis mechanisms, or
+ otherwise disrupt these procedures by altering other system components.
+
+ https://attack.mitre.org/techniques/T1562'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1195
+ name: T1195 - Supply Chain Compromise
+ provider: MITRE ATT&CK
+ description: "Adversaries may manipulate products or product delivery mechanisms\
+ \ prior to receipt by a final consumer for the purpose of data or system compromise.\n\
+ \nSupply chain compromise can take place at any stage of the supply chain including:\n\
+ \n* Manipulation of development tools\n* Manipulation of a development environment\n\
+ * Manipulation of source code repositories (public or private)\n* Manipulation\
+ \ of source code in open-source dependencies\n* Manipulation of software update/distribution\
+ \ mechanisms\n* Compromised/infected system images (multiple cases of removable\
+ \ media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider\
+ \ Electric USB Malware) \n* Replacement of legitimate software with modified\
+ \ versions\n* Sales of modified/counterfeit products to legitimate distributors\n\
+ * Shipment interdiction\n\nWhile supply chain compromise can impact any component\
+ \ of hardware or software, adversaries looking to gain execution have often\
+ \ focused on malicious additions to legitimate software in software distribution\
+ \ or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil\
+ \ 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired\
+ \ victim set or malicious software may be distributed to a broad set of consumers\
+ \ but only move on to additional tactics on specific victims.(Citation: Symantec\
+ \ Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five\
+ \ SK 2011) Popular open source projects that are used as dependencies in many\
+ \ applications may also be targeted as a means to add malicious code to users\
+ \ of the dependency.(Citation: Trendmicro NPM Compromise)\nhttps://attack.mitre.org/techniques/T1195"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1190
+ name: T1190 - Exploit Public-Facing Application
+ provider: MITRE ATT&CK
+ description: "Adversaries may attempt to exploit a weakness in an Internet-facing\
+ \ host or system to initially access a network. The weakness in the system can\
+ \ be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited\
+ \ applications are often websites/web servers, but can also include databases\
+ \ (like SQL), standard services (like SMB or SSH), network device administration\
+ \ and management protocols (like SNMP and Smart Install), and any other system\
+ \ with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation:\
+ \ CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure\
+ \ Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169)\
+ \ Depending on the flaw being exploited this may also involve [Exploitation\
+ \ for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an\
+ \ application is hosted on cloud-based infrastructure and/or is containerized,\
+ \ then exploiting it may lead to compromise of the underlying instance or container.\
+ \ This can allow an adversary a path to access the cloud or container APIs,\
+ \ exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611),\
+ \ or take advantage of weak identity and access management policies.\n\nAdversaries\
+ \ may also exploit edge network infrastructure and related appliances, specifically\
+ \ targeting devices that do not support robust host-based defenses.(Citation:\
+ \ Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites\
+ \ and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based\
+ \ vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)\nhttps://attack.mitre.org/techniques/T1190"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1558
+ name: T1558 - Steal or Forge Kerberos Tickets
+ provider: MITRE ATT&CK
+ description: "Adversaries may attempt to subvert Kerberos authentication by stealing\
+ \ or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003).\
+ \ Kerberos is an authentication protocol widely used in modern Windows domain\
+ \ environments. In Kerberos environments, referred to as \u201Crealms\u201D\
+ , there are three basic participants: client, service, and Key Distribution\
+ \ Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request\
+ \ access to a service and through the exchange of Kerberos tickets, originating\
+ \ from KDC, they are granted access after having successfully authenticated.\
+ \ The KDC is responsible for both authentication and ticket granting. Adversaries\
+ \ may attempt to abuse Kerberos by stealing tickets or forging tickets to enable\
+ \ unauthorized access.\n\nOn Windows, the built-in klist
utility\
+ \ can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft\
+ \ Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials\
+ \ locally in the credential cache file referred to as the \"ccache\". The credentials\
+ \ are stored in the ccache file while they remain valid and generally while\
+ \ a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise\
+ \ Linux systems, and derivative distributions, the System Security Services\
+ \ Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of\
+ \ the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb
\
+ \ as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey
.\
+ \ Both files require root access to read. If an adversary is able to access\
+ \ the database and key, the credential cache Kerberos blob can be extracted\
+ \ and converted into a usable Kerberos ccache file that adversaries may use\
+ \ for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The\
+ \ ccache file may also be converted into a Windows format using tools such as\
+ \ Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation:\
+ \ Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format,\
+ \ similar to Linux. By default, access to these ccache entries is federated\
+ \ through the KCM daemon process via the Mach RPC protocol, which uses the caller's\
+ \ environment to determine access. The storage location for these ccache entries\
+ \ is influenced by the /etc/krb5.conf
configuration file and the\
+ \ KRB5CCNAME
environment variable which can specify to save them\
+ \ to disk or keep them protected via the KCM daemon. Users can interact with\
+ \ ticket storage using kinit
, klist
, ktutil
,\
+ \ and kcc
built-in binaries or via Apple's native Kerberos framework.\
+ \ Adversaries can use open source tools to interact with the ccache files directly\
+ \ or to use the Kerberos framework to call lower-level APIs for extracting the\
+ \ user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS\
+ \ 2019)(Citation: macOS kerberos framework MIT)\nhttps://attack.mitre.org/techniques/T1558"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1555
+ name: T1555 - Credentials from Password Stores
+ provider: MITRE ATT&CK
+ description: 'Adversaries may search for common password storage locations to
+ obtain user credentials. Passwords are stored in several places on a system,
+ depending on the operating system or application holding the credentials. There
+ are also specific applications and services that store passwords to make them
+ easier for users to manage and maintain, such as password managers and cloud
+ secrets vaults. Once credentials are obtained, they can be used to perform lateral
+ movement and access restricted information.
+
+ https://attack.mitre.org/techniques/T1555'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1567
+ name: T1567 - Exfiltration Over Web Service
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use an existing, legitimate external Web service
+ to exfiltrate data rather than their primary command and control channel. Popular
+ Web services acting as an exfiltration mechanism may give a significant amount
+ of cover due to the likelihood that hosts within a network are already communicating
+ with them prior to compromise. Firewall rules may also already exist to permit
+ traffic to these services.
+
+
+ Web service providers also commonly use SSL/TLS encryption, giving adversaries
+ an added level of protection.
+
+ https://attack.mitre.org/techniques/T1567'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1219
+ name: T1219 - Remote Access Software
+ provider: MITRE ATT&CK
+ description: "An adversary may use legitimate desktop support and remote access\
+ \ software to establish an interactive command and control channel to target\
+ \ systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`,\
+ \ `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and\
+ \ management (RMM) tools, are commonly used as legitimate technical support\
+ \ software and may be allowed by application control within a target environment.(Citation:\
+ \ Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation:\
+ \ CrySyS Blog TeamSpy)\n\nRemote access software may be installed and used post-compromise\
+ \ as an alternate communications channel for redundant access or as a way to\
+ \ establish an interactive remote desktop session with the target system. They\
+ \ may also be used as a component of malware to establish a reverse connection\
+ \ or back-connect to a service or adversary controlled system.\n \nAdversaries\
+ \ may similarly abuse response features included in EDR and other defensive\
+ \ tools that enable remote access.\n\nInstallation of many remote access software\
+ \ may also include persistence (e.g., the software's installation routine creates\
+ \ a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\nhttps://attack.mitre.org/techniques/T1219"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1036
+ name: T1036 - Masquerading
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to manipulate features of their artifacts
+ to make them appear legitimate or benign to users and/or security tools. Masquerading
+ occurs when the name or location of an object, legitimate or malicious, is manipulated
+ or abused for the sake of evading defenses and observation. This may include
+ manipulating file metadata, tricking users into misidentifying the file type,
+ and giving legitimate task or service names.
+
+
+ Renaming abusable system utilities to evade security monitoring is also a form
+ of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS
+ Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090)
+ or VPNs to disguise IP addresses, which can allow adversaries to blend in with
+ normal network traffic and bypass conditional access policies or anti-abuse
+ protections.
+
+ https://attack.mitre.org/techniques/T1036'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1552
+ name: T1552 - Unsecured Credentials
+ provider: MITRE ATT&CK
+ description: 'Adversaries may search compromised systems to find and obtain insecurely
+ stored credentials. These credentials can be stored and/or misplaced in many
+ locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)),
+ operating system or application-specific repositories (e.g. [Credentials in
+ Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized
+ files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).
+
+ https://attack.mitre.org/techniques/T1552'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1659
+ name: T1659 - Content Injection
+ provider: MITRE ATT&CK
+ description: 'Adversaries may gain access and continuously communicate with victims
+ by injecting malicious content into systems through online network traffic.
+ Rather than luring victims to malicious payloads hosted on a compromised website
+ (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed
+ by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries
+ may initially access victims through compromised data-transfer channels where
+ they can manipulate traffic and/or inject their own content. These compromised
+ online network channels may also be used to deliver additional payloads (i.e.,
+ [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other
+ data to already compromised systems.(Citation: ESET MoustachedBouncer)
+
+
+ Adversaries may inject content to victim systems in various ways, including:
+
+
+ * From the middle, where the adversary is in-between legitimate online client-server
+ communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557),
+ which describes AiTM activity solely within an enterprise environment) (Citation:
+ Kaspersky Encyclopedia MiTM)
+
+ * From the side, where malicious content is injected and races to the client
+ as a fake response to requests of a legitimate online server (Citation: Kaspersky
+ ManOnTheSide)
+
+
+ Content injection is often the result of compromised upstream communication
+ channels, for example at the level of an internet service provider (ISP) as
+ is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation:
+ ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)
+
+ https://attack.mitre.org/techniques/T1659'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1055
+ name: T1055 - Process Injection
+ provider: MITRE ATT&CK
+ description: "Adversaries may inject code into processes in order to evade process-based\
+ \ defenses as well as possibly elevate privileges. Process injection is a method\
+ \ of executing arbitrary code in the address space of a separate live process.\
+ \ Running code in the context of another process may allow access to the process's\
+ \ memory, system/network resources, and possibly elevated privileges. Execution\
+ \ via process injection may also evade detection from security products since\
+ \ the execution is masked under a legitimate process. \n\nThere are many different\
+ \ ways to inject code into a process, many of which abuse legitimate functionalities.\
+ \ These implementations exist for every major OS but are typically platform\
+ \ specific. \n\nMore sophisticated samples may perform multiple process injections\
+ \ to segment modules and further evade detection, utilizing named pipes or other\
+ \ inter-process communication (IPC) mechanisms as a communication channel.\n\
+ https://attack.mitre.org/techniques/T1055"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1205
+ name: T1205 - Traffic Signaling
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use traffic signaling to hide open ports or other
+ malicious functionality used for persistence or command and control. Traffic
+ signaling involves the use of a magic value or sequence that must be sent to
+ a system to trigger a special response, such as opening a closed port or executing
+ a malicious task. This may take the form of sending a series of packets with
+ certain characteristics before a port will be opened that the adversary can
+ use for command and control. Usually this series of packets consists of attempted
+ connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)),
+ but can involve unusual flags, specific strings, or other unique characteristics.
+ After the sequence is completed, opening a port may be accomplished by the host-based
+ firewall, but could also be implemented by custom software.
+
+
+ Adversaries may also communicate with an already open port, but the service
+ listening on that port will only respond to commands or trigger other malicious
+ functionality if passed the appropriate magic value(s).
+
+
+ The observation of the signal packets to trigger the communication can be conducted
+ through different methods. One means, originally implemented by Cd00r (Citation:
+ Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets
+ in question. Another method leverages raw sockets, which enables the malware
+ to use ports that are already open for use by other programs.
+
+
+ On network devices, adversaries may use crafted packets to enable [Network Device
+ Authentication](https://attack.mitre.org/techniques/T1556/004) for standard
+ services offered by the device such as telnet. Such signaling may also be used
+ to open a closed service port such as telnet, or to trigger module modification
+ of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries
+ may use crafted packets to attempt to connect to one or more (open or closed)
+ ports, but may also attempt to connect to a router interface, broadcast, and
+ network address IP on the same port in order to achieve their goals and objectives.(Citation:
+ Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco
+ Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices,
+ adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+ due to the monolithic nature of the architecture.
+
+
+ Adversaries may also use the Wake-on-LAN feature to turn on powered off systems.
+ Wake-on-LAN is a hardware feature that allows a powered down system to be powered
+ on, or woken up, by sending a magic packet to it. Once the system is powered
+ on, it may become a target for lateral movement.(Citation: Bleeping Computer
+ - Ryuk WoL)(Citation: AMD Magic Packet)
+
+ https://attack.mitre.org/techniques/T1205'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1218
+ name: T1218 - System Binary Proxy Execution
+ provider: MITRE ATT&CK
+ description: 'Adversaries may bypass process and/or signature-based defenses by
+ proxying execution of malicious content with signed, or otherwise trusted, binaries.
+ Binaries used in this technique are often Microsoft-signed files, indicating
+ that they have been either downloaded from Microsoft or are already native in
+ the operating system.(Citation: LOLBAS Project) Binaries signed with trusted
+ digital certificates can typically execute on Windows systems protected by digital
+ signature validation. Several Microsoft signed binaries that are default on
+ Windows installations can be used to proxy execution of other files or commands.
+
+
+ Similarly, on Linux systems adversaries may abuse trusted binaries such as split
+ to proxy execution of malicious commands.(Citation: split man page)(Citation:
+ GTFO split)
+
+ https://attack.mitre.org/techniques/T1218'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1620
+ name: T1620 - Reflective Code Loading
+ provider: MITRE ATT&CK
+ description: "Adversaries may reflectively load code into a process in order to\
+ \ conceal the execution of malicious payloads. Reflective loading involves allocating\
+ \ then executing payloads directly within the memory of the process, vice creating\
+ \ a thread or process backed by a file path on disk. Reflectively loaded payloads\
+ \ may be compiled binaries, anonymous files (only present in RAM), or just snubs\
+ \ of fileless executable code (ex: position-independent shellcode).(Citation:\
+ \ Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF\
+ \ Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)\n\nReflective code\
+ \ injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055)\
+ \ except that the \u201Cinjection\u201D loads code into the processes\u2019\
+ \ own memory instead of that of a separate process. Reflective loading may evade\
+ \ process-based detections since the execution of the arbitrary code may be\
+ \ masked within a legitimate or otherwise benign process. Reflectively loading\
+ \ payloads directly into memory may also avoid creating files or other artifacts\
+ \ on disk, while also enabling malware to keep these payloads encrypted (or\
+ \ otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation:\
+ \ 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)\n\
+ https://attack.mitre.org/techniques/T1620"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1611
+ name: T1611 - Escape to Host
+ provider: MITRE ATT&CK
+ description: "Adversaries may break out of a container to gain access to the underlying\
+ \ host. This can allow an adversary access to other containerized resources\
+ \ from the host level or to the host itself. In principle, containerized resources\
+ \ should provide a clear separation of application functionality and be isolated\
+ \ from the host environment.(Citation: Docker Overview)\n\nThere are multiple\
+ \ ways an adversary may escape to a host environment. Examples include creating\
+ \ a container configured to mount the host\u2019s filesystem using the bind\
+ \ parameter, which allows the adversary to drop payloads and execute control\
+ \ utilities such as cron on the host; utilizing a privileged container to run\
+ \ commands or load a malicious kernel module on the underlying host; or abusing\
+ \ system calls such as `unshare` and `keyctl` to escalate privileges and steal\
+ \ secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation:\
+ \ Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes\
+ \ Container Escape)(Citation: Keyctl-unmask)\n\nAdditionally, an adversary may\
+ \ be able to exploit a compromised container with a mounted container management\
+ \ socket, such as `docker.sock`, to break out of the container via a [Container\
+ \ Administration Command](https://attack.mitre.org/techniques/T1609).(Citation:\
+ \ Container Escape) Adversaries may also escape via [Exploitation for Privilege\
+ \ Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting\
+ \ vulnerabilities in global symbolic links in order to access the root directory\
+ \ of a host machine.(Citation: Windows Server Containers Are Open)\n\nGaining\
+ \ access to the host may provide the adversary with the opportunity to achieve\
+ \ follow-on objectives, such as establishing persistence, moving laterally within\
+ \ the environment, or setting up a command and control channel on the host.\n\
+ https://attack.mitre.org/techniques/T1611"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1010
+ name: T1010 - Application Window Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to get a listing of open application windows.
+ Window listings could convey information about how the system is used.(Citation:
+ Prevailion DarkWatchman 2021) For example, information about application windows
+ could be used identify potential data to collect as well as identifying security
+ tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001))
+ to evade.(Citation: ESET Grandoreiro April 2020)
+
+
+ Adversaries typically abuse system features for this type of enumeration. For
+ example, they may gather information through native system features such as
+ [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)
+ commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.
+
+ https://attack.mitre.org/techniques/T1010'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1029
+ name: T1029 - Scheduled Transfer
+ provider: MITRE ATT&CK
+ description: 'Adversaries may schedule data exfiltration to be performed only
+ at certain times of day or at certain intervals. This could be done to blend
+ traffic patterns with normal activity or availability.
+
+
+ When scheduled exfiltration is used, other exfiltration techniques likely apply
+ as well to transfer the information out of the network, such as [Exfiltration
+ Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration
+ Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).
+
+ https://attack.mitre.org/techniques/T1029'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1525
+ name: T1525 - Implant Internal Image
+ provider: MITRE ATT&CK
+ description: "Adversaries may implant cloud or container images with malicious\
+ \ code to establish persistence after gaining access to an environment. Amazon\
+ \ Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP)\
+ \ Images, and Azure Images as well as popular container runtimes such as Docker\
+ \ can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001),\
+ \ this technique focuses on adversaries implanting an image in a registry within\
+ \ a victim\u2019s environment. Depending on how the infrastructure is provisioned,\
+ \ this could provide persistent access if the infrastructure provisioning tool\
+ \ is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image\
+ \ Backdoor Technique Sept 2019)\n\nA tool has been developed to facilitate planting\
+ \ backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September\
+ \ 2019) If an adversary has access to a compromised AWS instance, and permissions\
+ \ to list the available container images, they may implant a backdoor such as\
+ \ a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino\
+ \ Labs Cloud Image Backdoor Technique Sept 2019)\nhttps://attack.mitre.org/techniques/T1525"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1572
+ name: T1572 - Protocol Tunneling
+ provider: MITRE ATT&CK
+ description: "Adversaries may tunnel network communications to and from a victim\
+ \ system within a separate protocol to avoid detection/network filtering and/or\
+ \ enable access to otherwise unreachable systems. Tunneling involves explicitly\
+ \ encapsulating a protocol within another. This behavior may conceal malicious\
+ \ traffic by blending in with existing traffic and/or provide an outer layer\
+ \ of encryption (similar to a VPN). Tunneling could also enable routing of network\
+ \ packets that would otherwise not reach their intended destination, such as\
+ \ SMB, RDP, or other traffic that would be filtered by network appliances or\
+ \ not routed over the Internet. \n\nThere are various means to encapsulate a\
+ \ protocol within another protocol. For example, adversaries may perform SSH\
+ \ tunneling (also known as SSH port forwarding), which involves forwarding arbitrary\
+ \ data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol\
+ \ Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by\
+ \ adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568).\
+ \ Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be\
+ \ encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua\
+ \ JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)\
+ \ in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or\
+ \ [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to\
+ \ further conceal C2 communications and infrastructure.\nhttps://attack.mitre.org/techniques/T1572"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1550
+ name: T1550 - Use Alternate Authentication Material
+ provider: MITRE ATT&CK
+ description: "Adversaries may use alternate authentication material, such as password\
+ \ hashes, Kerberos tickets, and application access tokens, in order to move\
+ \ laterally within an environment and bypass normal system access controls.\
+ \ \n\nAuthentication processes generally require a valid identity (e.g., username)\
+ \ along with one or more authentication factors (e.g., password, pin, physical\
+ \ smart card, token generator, etc.). Alternate authentication material is legitimately\
+ \ generated by systems after a user or application successfully authenticates\
+ \ by providing a valid identity and the required authentication factor(s). Alternate\
+ \ authentication material may also be generated during the identity creation\
+ \ process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate\
+ \ authentication material allows the system to verify an identity has successfully\
+ \ authenticated without asking the user to reenter authentication factor(s).\
+ \ Because the alternate authentication must be maintained by the system\u2014\
+ either in memory or on disk\u2014it may be at risk of being stolen through [Credential\
+ \ Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate\
+ \ authentication material, adversaries are able to bypass system access controls\
+ \ and authenticate to systems without knowing the plaintext password or any\
+ \ additional authentication factors.\nhttps://attack.mitre.org/techniques/T1550"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1011
+ name: T1011 - Exfiltration Over Other Network Medium
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to exfiltrate data over a different network
+ medium than the command and control channel. If the command and control network
+ is a wired Internet connection, the exfiltration may occur, for example, over
+ a WiFi connection, modem, cellular data connection, Bluetooth, or another radio
+ frequency (RF) channel.
+
+
+ Adversaries may choose to do this if they have sufficient access or proximity,
+ and the connection might not be secured or defended as well as the primary Internet-connected
+ channel because it is not routed through the same enterprise network.
+
+ https://attack.mitre.org/techniques/T1011'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1589
+ name: T1589 - Gather Victim Identity Information
+ provider: MITRE ATT&CK
+ description: 'Adversaries may gather information about the victim''s identity
+ that can be used during targeting. Information about identities may include
+ a variety of details, including personal data (ex: employee names, email addresses,
+ etc.) as well as sensitive details such as credentials.
+
+
+ Adversaries may gather this information in various ways, such as direct elicitation
+ via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information
+ about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595))
+ such as probing and analyzing responses from authentication services that may
+ reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) Information
+ about victims may also be exposed to adversaries via online or other accessible
+ data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001)
+ or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation:
+ OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+ Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+ GitHub Gitrob)(Citation: CNET Leaks)
+
+
+ Gathering this information may reveal opportunities for other forms of reconnaissance
+ (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+ or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing
+ operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
+ and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)
+ or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
+
+ https://attack.mitre.org/techniques/T1589'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1560
+ name: T1560 - Archive Collected Data
+ provider: MITRE ATT&CK
+ description: 'An adversary may compress and/or encrypt data that is collected
+ prior to exfiltration. Compressing the data can help to obfuscate the collected
+ data and minimize the amount of data sent over the network. Encryption can be
+ used to hide information that is being exfiltrated from detection or make exfiltration
+ less conspicuous upon inspection by a defender.
+
+
+ Both compression and encryption are done prior to exfiltration, and can be performed
+ using a utility, 3rd party library, or custom method.
+
+ https://attack.mitre.org/techniques/T1560'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1185
+ name: T1185 - Browser Session Hijacking
+ provider: MITRE ATT&CK
+ description: 'Adversaries may take advantage of security vulnerabilities and inherent
+ functionality in browser software to change content, modify user-behaviors,
+ and intercept information as part of various browser session hijacking techniques.(Citation:
+ Wikipedia Man in the Browser)
+
+
+ A specific example is when an adversary injects software into a browser that
+ allows them to inherit cookies, HTTP sessions, and SSL client certificates of
+ a user then use the browser as a way to pivot into an authenticated intranet.(Citation:
+ Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based
+ behaviors such as pivoting may require specific process permissions, such as
+ SeDebugPrivilege
and/or high-integrity/administrator rights.
+
+
+ Another example involves pivoting browser traffic from the adversary''s browser
+ through the user''s browser by setting up a proxy which will redirect web traffic.
+ This does not alter the user''s traffic in any way, and the proxy connection
+ can be severed as soon as the browser is closed. The adversary assumes the security
+ context of whichever browser process the proxy is injected into. Browsers typically
+ create a new process for each tab that is opened and permissions and certificates
+ are separated accordingly. With these permissions, an adversary could potentially
+ browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
+ or webmail, that is accessible through the browser and which the browser has
+ sufficient permissions. Browser pivoting may also bypass security provided by
+ 2-factor authentication.(Citation: cobaltstrike manual)
+
+ https://attack.mitre.org/techniques/T1185'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1021
+ name: T1021 - Remote Services
+ provider: MITRE ATT&CK
+ description: "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078)\
+ \ to log into a service that accepts remote connections, such as telnet, SSH,\
+ \ and VNC. The adversary may then perform actions as the logged-on user.\n\n\
+ In an enterprise environment, servers and workstations can be organized into\
+ \ domains. Domains provide centralized identity management, allowing users to\
+ \ login using one set of credentials across the entire network. If an adversary\
+ \ is able to obtain a set of valid domain credentials, they could login to many\
+ \ different machines using remote access protocols such as secure shell (SSH)\
+ \ or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet\
+ \ Remote Desktop Services) They could also login to accessible SaaS or IaaS\
+ \ services, such as those that federate their identities to the domain. \n\n\
+ Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072)\
+ \ and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021)\
+ \ to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is\
+ \ native software used for remote management. ARD leverages a blend of protocols,\
+ \ including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the\
+ \ screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004)\
+ \ for secure file transfer.(Citation: Remote Management MDM macOS)(Citation:\
+ \ Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin\
+ \ Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code\
+ \ execution and perform lateral movement. In versions of macOS prior to 10.14,\
+ \ an adversary can escalate an SSH session to an ARD session which enables an\
+ \ adversary to accept TCC (Transparency, Consent, and Control) prompts without\
+ \ user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote\
+ \ Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop\
+ \ commands)\nhttps://attack.mitre.org/techniques/T1021"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1596
+ name: T1596 - Search Open Technical Databases
+ provider: MITRE ATT&CK
+ description: 'Adversaries may search freely available technical databases for
+ information about victims that can be used during targeting. Information about
+ victims may be available in online databases and repositories, such as registrations
+ of domains/certificates as well as public collections of network data/artifacts
+ gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation:
+ Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation:
+ DigitalShadows CDN)(Citation: Shodan)
+
+
+ Adversaries may search in different open databases depending on what information
+ they seek to gather. Information from these sources may reveal opportunities
+ for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+ or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)),
+ establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)
+ or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)),
+ and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
+ or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+
+ https://attack.mitre.org/techniques/T1596'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1207
+ name: T1207 - Rogue Domain Controller
+ provider: MITRE ATT&CK
+ description: 'Adversaries may register a rogue Domain Controller to enable manipulation
+ of Active Directory data. DCShadow may be used to create a rogue Domain Controller
+ (DC). DCShadow is a method of manipulating Active Directory (AD) data, including
+ objects and schemas, by registering (or reusing an inactive registration) and
+ simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered,
+ a rogue DC may be able to inject and replicate changes into AD infrastructure
+ for any domain object, including credentials and keys.
+
+
+ Registering a rogue DC involves creating a new server and nTDSDSA objects in
+ the Configuration partition of the AD schema, which requires Administrator privileges
+ (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity
+ Mimikatz Guide)
+
+
+ This technique may bypass system logging and security monitors such as security
+ information and event management (SIEM) products (since actions taken on a rogue
+ DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique
+ may also be used to alter and delete replication and other associated metadata
+ to obstruct forensic analysis. Adversaries may also utilize this technique to
+ perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005)
+ and/or manipulate AD objects (such as accounts, access control lists, schemas)
+ to establish backdoors for Persistence. (Citation: DCShadow Blog)
+
+ https://attack.mitre.org/techniques/T1207'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1610
+ name: T1610 - Deploy Container
+ provider: MITRE ATT&CK
+ description: 'Adversaries may deploy a container into an environment to facilitate
+ execution or evade defenses. In some cases, adversaries may deploy a new container
+ to execute processes associated with a particular image or deployment, such
+ as processes that execute or download malware. In others, an adversary may deploy
+ a new container configured without network rules, user limitations, etc. to
+ bypass existing defenses within the environment.
+
+
+ Containers can be deployed by various means, such as via Docker''s create
+ and start
APIs or via a web application such as the Kubernetes
+ dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes
+ Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based
+ on retrieved or built malicious images or from benign images that download and
+ execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
+
+ https://attack.mitre.org/techniques/T1610'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1112
+ name: T1112 - Modify Registry
+ provider: MITRE ATT&CK
+ description: 'Adversaries may interact with the Windows Registry to hide configuration
+ information within Registry keys, remove information as part of cleaning up,
+ or as part of other techniques to aid in persistence and execution.
+
+
+ Access to specific areas of the Registry depends on account permissions, some
+ requiring administrator-level access. The built-in Windows command-line utility
+ [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote
+ Registry modification. (Citation: Microsoft Reg) Other tools may also be used,
+ such as a remote access tool, which may contain functionality to interact with
+ the Registry through the Windows API.
+
+
+ Registry modifications may also include actions to hide keys, such as prepending
+ key names with a null character, which will cause an error and/or be ignored
+ when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities
+ using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may
+ abuse these pseudo-hidden keys to conceal payloads/commands used to maintain
+ persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps
+ Hiding Reg Jul 2017)
+
+
+ The Registry of a remote system may be modified to aid in execution of files
+ as part of lateral movement. It requires the remote Registry service to be running
+ on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078)
+ are required, along with access to the remote system''s [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002)
+ for RPC communication.
+
+ https://attack.mitre.org/techniques/T1112'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1580
+ name: T1580 - Cloud Infrastructure Discovery
+ provider: MITRE ATT&CK
+ description: "An adversary may attempt to discover infrastructure and resources\
+ \ that are available within an infrastructure-as-a-service (IaaS) environment.\
+ \ This includes compute service resources such as instances, virtual machines,\
+ \ and snapshots as well as resources of other services including the storage\
+ \ and database services.\n\nCloud providers offer methods such as APIs and commands\
+ \ issued through CLIs to serve information about infrastructure. For example,\
+ \ AWS provides a DescribeInstances
API within the Amazon EC2 API\
+ \ that can return information about one or more instances within an account,\
+ \ the ListBuckets
API that returns a list of all buckets owned\
+ \ by the authenticated sender of the request, the HeadBucket
API\
+ \ to determine a bucket\u2019s existence along with access permissions of the\
+ \ request sender, or the GetPublicAccessBlock
API to retrieve access\
+ \ block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation:\
+ \ Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation:\
+ \ AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the gcloud\
+ \ compute instances list
command to list all Google Compute Engine instances\
+ \ in a project (Citation: Google Compute Instances), and Azure's CLI command\
+ \ az vm list
lists details of virtual machines.(Citation: Microsoft\
+ \ AZ CLI) In addition to API commands, adversaries can utilize open source tools\
+ \ to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation:\
+ \ Malwarebytes OSINT Leaky Buckets - Hioureas)\n\nAn adversary may enumerate\
+ \ resources using a compromised user's access keys to determine which are available\
+ \ to that user.(Citation: Expel IO Evil in AWS) The discovery of these available\
+ \ resources may help adversaries determine their next steps in the Cloud environment,\
+ \ such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary\
+ \ may also use this information to change the configuration to make the bucket\
+ \ publicly accessible, allowing data to be accessed without authentication.\
+ \ Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances
\
+ \ to determine size, owner, permissions, and network ACLs of database resources.\
+ \ (Citation: AWS Describe DB Instances) Adversaries can use this information\
+ \ to determine the potential value of databases and discover the requirements\
+ \ to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526),\
+ \ this technique focuses on the discovery of components of the provided services\
+ \ rather than the services themselves.\nhttps://attack.mitre.org/techniques/T1580"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1491
+ name: T1491 - Defacement
+ provider: MITRE ATT&CK
+ description: 'Adversaries may modify visual content available internally or externally
+ to an enterprise network, thus affecting the integrity of the original content.
+ Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include
+ delivering messaging, intimidation, or claiming (possibly false) credit for
+ an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491)
+ in order to cause user discomfort, or to pressure compliance with accompanying
+ messages.
+
+ https://attack.mitre.org/techniques/T1491'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1535
+ name: T1535 - Unused/Unsupported Cloud Regions
+ provider: MITRE ATT&CK
+ description: 'Adversaries may create cloud instances in unused geographic service
+ regions in order to evade detection. Access is usually obtained through compromising
+ accounts used to manage cloud infrastructure.
+
+
+ Cloud service providers often provide infrastructure throughout the world in
+ order to improve performance, provide redundancy, and allow customers to meet
+ compliance requirements. Oftentimes, a customer will only use a subset of the
+ available regions and may not actively monitor other regions. If an adversary
+ creates resources in an unused region, they may be able to operate undetected.
+
+
+ A variation on this behavior takes advantage of differences in functionality
+ across cloud regions. An adversary could utilize regions which do not support
+ advanced detection services in order to avoid detection of their activity.
+
+
+ An example of adversary use of unused AWS regions is to mine cryptocurrency
+ through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which
+ can cost organizations substantial amounts of money over time depending on the
+ processing power used.(Citation: CloudSploit - Unused AWS Regions)
+
+ https://attack.mitre.org/techniques/T1535'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1563
+ name: T1563 - Remote Service Session Hijacking
+ provider: MITRE ATT&CK
+ description: 'Adversaries may take control of preexisting sessions with remote
+ services to move laterally in an environment. Users may use valid credentials
+ to log into a service specifically designed to accept remote connections, such
+ as telnet, SSH, and RDP. When a user logs into a service, a session will be
+ established that will allow them to maintain a continuous interaction with that
+ service.
+
+
+ Adversaries may commandeer these sessions to carry out actions on remote systems.
+ [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563)
+ differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021)
+ because it hijacks an existing session rather than creating a new session using
+ [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking
+ Medium)(Citation: Breach Post-mortem SSH Hijack)
+
+ https://attack.mitre.org/techniques/T1563'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1217
+ name: T1217 - Browser Information Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may enumerate information about browsers to learn more
+ about compromised environments. Data saved by browsers (such as bookmarks, accounts,
+ and browsing history) may reveal a variety of personal information about users
+ (e.g., banking sites, relationships/interests, social media, etc.) as well as
+ details about internal network resources such as servers, tools/dashboards,
+ or other related infrastructure.(Citation: Kaspersky Autofill)
+
+
+ Browser information may also highlight additional targets after an adversary
+ has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001)
+ associated with logins cached by a browser.
+
+
+ Specific storage locations vary based on platform and/or application, but browser
+ information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation:
+ Chrome Roaming Profiles)
+
+ https://attack.mitre.org/techniques/T1217'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1092
+ name: T1092 - Communication Through Removable Media
+ provider: MITRE ATT&CK
+ description: 'Adversaries can perform command and control between compromised
+ hosts on potentially disconnected networks using removable media to transfer
+ commands from system to system. Both systems would need to be compromised, with
+ the likelihood that an Internet-connected system was compromised first and the
+ second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091).
+ Commands and files would be relayed from the disconnected system to the Internet-connected
+ system to which the adversary has direct access.
+
+ https://attack.mitre.org/techniques/T1092'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1222
+ name: T1222 - File and Directory Permissions Modification
+ provider: MITRE ATT&CK
+ description: "Adversaries may modify file or directory permissions/attributes\
+ \ to evade access control lists (ACLs) and access protected files.(Citation:\
+ \ Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018)\
+ \ File and directory permissions are commonly managed by ACLs configured by\
+ \ the file or directory owner, or users with the appropriate permissions. File\
+ \ and directory ACL implementations vary by platform, but generally explicitly\
+ \ designate which users or groups can perform which actions (read, write, execute,\
+ \ etc.).\n\nModifications may include changing specific access rights, which\
+ \ may require taking ownership of a file or directory and/or elevated permissions\
+ \ depending on the file or directory\u2019s existing permissions. This may enable\
+ \ malicious activity such as modifying, replacing, or deleting specific files\
+ \ or directories. Specific file and directory modifications may be a required\
+ \ step for many techniques, such as establishing Persistence via [Accessibility\
+ \ Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization\
+ \ Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration\
+ \ Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking\
+ \ other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\n\
+ \nAdversaries may also change permissions of symbolic links. For example, malware\
+ \ (particularly ransomware) may modify symbolic links and associated settings\
+ \ to enable access to files from local shortcuts with remote paths.(Citation:\
+ \ new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation:\
+ \ blackmatter_blackcat)(Citation: fsutil_behavior)\nhttps://attack.mitre.org/techniques/T1222"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1595
+ name: T1595 - Active Scanning
+ provider: MITRE ATT&CK
+ description: 'Adversaries may execute active reconnaissance scans to gather information
+ that can be used during targeting. Active scans are those where the adversary
+ probes victim infrastructure via network traffic, as opposed to other forms
+ of reconnaissance that do not involve direct interaction.
+
+
+ Adversaries may perform different forms of active scanning depending on what
+ information they seek to gather. These scans can also be performed in various
+ ways, including using native features of network protocols such as ICMP.(Citation:
+ Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may
+ reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+ or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+ establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587)
+ or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or
+ initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
+ or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
+
+ https://attack.mitre.org/techniques/T1595'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1548
+ name: T1548 - Abuse Elevation Control Mechanism
+ provider: MITRE ATT&CK
+ description: 'Adversaries may circumvent mechanisms designed to control elevate
+ privileges to gain higher-level permissions. Most modern systems contain native
+ elevation control mechanisms that are intended to limit privileges that a user
+ can perform on a machine. Authorization has to be granted to specific users
+ in order to perform tasks that can be considered of higher risk. An adversary
+ can perform several methods to take advantage of built-in control mechanisms
+ in order to escalate privileges on a system.
+
+ https://attack.mitre.org/techniques/T1548'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1125
+ name: T1125 - Video Capture
+ provider: MITRE ATT&CK
+ description: 'An adversary can leverage a computer''s peripheral devices (e.g.,
+ integrated cameras or webcams) or applications (e.g., video call services) to
+ capture video recordings for the purpose of gathering information. Images may
+ also be captured from devices or applications, potentially in specified intervals,
+ in lieu of video files.
+
+
+ Malware or scripts may be used to interact with the devices through an available
+ API provided by the operating system or an application to capture video or images.
+ Video or image files may be written to disk and exfiltrated later. This technique
+ differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due
+ to use of specific devices or applications for video recording rather than capturing
+ the victim''s screen.
+
+
+ In macOS, there are a few different malware samples that record the user''s
+ webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)
+
+ https://attack.mitre.org/techniques/T1125'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1016
+ name: T1016 - System Network Configuration Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may look for details about the network configuration
+ and settings, such as IP and/or MAC addresses, of systems they access or through
+ information discovery of remote systems. Several operating system administration
+ utilities exist that can be used to gather this information. Examples include
+ [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101),
+ [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
+
+
+ Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+ on network devices to gather information about configurations and settings,
+ such as IP addresses of configured interfaces and static/dynamic routes (e.g.
+ show ip route
, show ip interface
).(Citation: US-CERT-TA18-106A)(Citation:
+ Mandiant APT41 Global Intrusion )
+
+
+ Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016)
+ during automated discovery to shape follow-on behaviors, including determining
+ certain access within the target network and what actions to do next.
+
+ https://attack.mitre.org/techniques/T1016'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1087
+ name: T1087 - Account Discovery
+ provider: MITRE ATT&CK
+ description: "Adversaries may attempt to get a listing of valid accounts, usernames,\
+ \ or email addresses on a system or within a compromised environment. This information\
+ \ can help adversaries determine which accounts exist, which can aid in follow-on\
+ \ behavior such as brute-forcing, spear-phishing attacks, or account takeovers\
+ \ (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\n\nAdversaries\
+ \ may use several methods to enumerate accounts, including abuse of existing\
+ \ tools, built-in commands, and potential misconfigurations that leak account\
+ \ names and roles or permissions in the targeted environment.\n\nFor examples,\
+ \ cloud environments typically provide easily accessible interfaces to obtain\
+ \ user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001)\
+ \ and other command line functionality to identify accounts. Information about\
+ \ email addresses and accounts may also be extracted by searching an infected\
+ \ system\u2019s files.\nhttps://attack.mitre.org/techniques/T1087"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1090
+ name: T1090 - Proxy
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use a connection proxy to direct network traffic
+ between systems or act as an intermediary for network communications to a command
+ and control server to avoid direct connections to their infrastructure. Many
+ tools exist that enable traffic redirection through proxies or port redirection,
+ including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap.
+ (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies
+ to manage command and control communications, reduce the number of simultaneous
+ outbound network connections, provide resiliency in the face of connection loss,
+ or to ride over existing trusted communications paths between victims to avoid
+ suspicion. Adversaries may chain together multiple proxies to further disguise
+ the source of malicious traffic.
+
+
+ Adversaries can also take advantage of routing schemes in Content Delivery Networks
+ (CDNs) to proxy command and control traffic.
+
+ https://attack.mitre.org/techniques/T1090'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1059
+ name: T1059 - Command and Scripting Interpreter
+ provider: MITRE ATT&CK
+ description: 'Adversaries may abuse command and script interpreters to execute
+ commands, scripts, or binaries. These interfaces and languages provide ways
+ of interacting with computer systems and are a common feature across many different
+ platforms. Most systems come with some built-in command-line interface and scripting
+ capabilities, for example, macOS and Linux distributions include some flavor
+ of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows
+ installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)
+ and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+
+
+ There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006),
+ as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007)
+ and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).
+
+
+ Adversaries may abuse these technologies in various ways as a means of executing
+ arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001)
+ payloads delivered to victims as lure documents or as secondary payloads downloaded
+ from an existing C2. Adversaries may also execute commands through interactive
+ terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021)
+ in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation:
+ Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell
+ Execution in Python)
+
+ https://attack.mitre.org/techniques/T1059'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1482
+ name: T1482 - Domain Trust Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to gather information on domain trust relationships
+ that may be used to identify lateral movement opportunities in Windows multi-domain/forest
+ environments. Domain trusts provide a mechanism for a domain to allow access
+ to resources based on the authentication procedures of another domain.(Citation:
+ Microsoft Trusts) Domain trusts allow the users of the trusted domain to access
+ resources in the trusting domain. The information discovered may help the adversary
+ conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005),
+ [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation:
+ AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts
+ can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET
+ methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359)
+ is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft
+ Operation Wilysupply)
+
+ https://attack.mitre.org/techniques/T1482'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1020
+ name: T1020 - Automated Exfiltration
+ provider: MITRE ATT&CK
+ description: "Adversaries may exfiltrate data, such as sensitive documents, through\
+ \ the use of automated processing after being gathered during Collection. \n\
+ \nWhen automated exfiltration is used, other exfiltration techniques likely\
+ \ apply as well to transfer the information out of the network, such as [Exfiltration\
+ \ Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration\
+ \ Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).\nhttps://attack.mitre.org/techniques/T1020"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1070
+ name: T1070 - Indicator Removal
+ provider: MITRE ATT&CK
+ description: "Adversaries may delete or modify artifacts generated within systems\
+ \ to remove evidence of their presence or hinder defenses. Various artifacts\
+ \ may be created by an adversary or something that can be attributed to an adversary\u2019\
+ s actions. Typically these artifacts are used as defensive indicators related\
+ \ to monitored events, such as strings from downloaded files, logs that are\
+ \ generated from user actions, and other data analyzed by defenders. Location,\
+ \ format, and type of artifact (such as command or login history) are often\
+ \ specific to each platform.\n\nRemoval of these indicators may interfere with\
+ \ event collection, reporting, or other processes used to detect intrusion activity.\
+ \ This may compromise the integrity of security solutions by causing notable\
+ \ events to go unreported. This activity may also impede forensic analysis and\
+ \ incident response, due to lack of sufficient data to determine what occurred.\n\
+ https://attack.mitre.org/techniques/T1070"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1609
+ name: T1609 - Container Administration Command
+ provider: MITRE ATT&CK
+ description: 'Adversaries may abuse a container administration service to execute
+ commands within a container. A container administration service such as the
+ Docker daemon, the Kubernetes API server, or the kubelet may allow remote management
+ of containers within an environment.(Citation: Docker Daemon CLI)(Citation:
+ Kubernetes API)(Citation: Kubernetes Kubelet)
+
+
+ In Docker, adversaries may specify an entrypoint during container deployment
+ that executes a script or command, or they may use a command such as docker
+ exec
to execute a command within a running container.(Citation: Docker
+ Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient
+ permissions, they may gain remote execution in a container in the cluster via
+ interaction with the Kubernetes API server, the kubelet, or by running a command
+ such as kubectl exec
.(Citation: Kubectl Exec Get Shell)
+
+ https://attack.mitre.org/techniques/T1609'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1083
+ name: T1083 - File and Directory Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may enumerate files and directories or may search in
+ specific locations of a host or network share for certain information within
+ a file system. Adversaries may use the information from [File and Directory
+ Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery
+ to shape follow-on behaviors, including whether or not the adversary fully infects
+ the target and/or attempts specific actions.
+
+
+ Many command shell utilities can be used to obtain this information. Examples
+ include dir
, tree
, ls
, find
,
+ and locate
.(Citation: Windows Commands JPCERT) Custom tools may
+ also be used to gather file and directory information and interact with the
+ [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also
+ leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+ on network devices to gather file and directory information (e.g. dir
,
+ show flash
, and/or nvram
).(Citation: US-CERT-TA18-106A)
+
+ https://attack.mitre.org/techniques/T1083'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1568
+ name: T1568 - Dynamic Resolution
+ provider: MITRE ATT&CK
+ description: 'Adversaries may dynamically establish connections to command and
+ control infrastructure to evade common detections and remediations. This may
+ be achieved by using malware that shares a common algorithm with the infrastructure
+ the adversary uses to receive the malware''s communications. These calculations
+ can be used to dynamically adjust parameters such as the domain name, IP address,
+ or port number the malware uses for command and control.
+
+
+ Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008).
+ When contact is lost with the primary command and control server malware may
+ employ dynamic resolution as a means to reestablishing command and control.(Citation:
+ Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit
+ 2017 Activity)
+
+ https://attack.mitre.org/techniques/T1568'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1647
+ name: T1647 - Plist File Modification
+ provider: MITRE ATT&CK
+ description: "Adversaries may modify property list files (plist files) to enable\
+ \ other malicious activity, while also potentially evading and bypassing system\
+ \ defenses. macOS applications use plist files, such as the info.plist
\
+ \ file, to store properties and configuration settings that inform the operating\
+ \ system how to handle the application at runtime. Plist files are structured\
+ \ metadata in key-value pairs formatted in XML based on Apple's Core Foundation\
+ \ DTD. Plist files can be saved in text or binary format.(Citation: fileinfo\
+ \ plist file description) \n\nAdversaries can modify key-value pairs in plist\
+ \ files to influence system behaviors, such as hiding the execution of an application\
+ \ (i.e. [Hidden Window](https://attack.mitre.org/techniques/T1564/003)) or running\
+ \ additional commands for persistence (ex: [Launch Agent](https://attack.mitre.org/techniques/T1543/001)/[Launch\
+ \ Daemon](https://attack.mitre.org/techniques/T1543/004) or [Re-opened Applications](https://attack.mitre.org/techniques/T1547/007)).\n\
+ \nFor example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist`\
+ \ file, which controls apps that appear in the Dock. Adversaries can also modify\
+ \ the LSUIElement
key in an application\u2019s info.plist
\
+ \ file to run the app in the background. Adversaries can also insert key-value\
+ \ pairs to insert environment variables, such as LSEnvironment
,\
+ \ to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:\
+ \ wardle chp2 persistence)(Citation: eset_osx_flashback)\nhttps://attack.mitre.org/techniques/T1647"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1074
+ name: T1074 - Data Staged
+ provider: MITRE ATT&CK
+ description: 'Adversaries may stage collected data in a central location or directory
+ prior to Exfiltration. Data may be kept in separate files or combined into one
+ file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560).
+ Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106)
+ and bash may be used to copy data into a staging location.(Citation: PWC Cloud
+ Hopper April 2017)
+
+
+ In cloud environments, adversaries may stage data within a particular instance
+ or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002)
+ and stage data in that instance.(Citation: Mandiant M-Trends 2020)
+
+
+ Adversaries may choose to stage data from a victim network in a centralized
+ location prior to Exfiltration to minimize the number of connections made to
+ their C2 server and better evade detection.
+
+ https://attack.mitre.org/techniques/T1074'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1649
+ name: T1649 - Steal or Forge Authentication Certificates
+ provider: MITRE ATT&CK
+ description: "Adversaries may steal or forge certificates used for authentication\
+ \ to access remote systems or resources. Digital certificates are often used\
+ \ to sign and encrypt messages and/or files. Certificates are also used as authentication\
+ \ material. For example, Azure AD device certificates and Active Directory Certificate\
+ \ Services (AD CS) certificates bind to an identity and can be used as credentials\
+ \ for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft\
+ \ AD CS Overview)\n\nAuthentication certificates can be both stolen and forged.\
+ \ For example, AD CS certificates can be stolen from encrypted storage (in the\
+ \ Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced\
+ \ certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)),\
+ \ or directly from the Windows certificate store via various crypto APIs.(Citation:\
+ \ SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub\
+ \ GhostPack Certificates) With appropriate enrollment rights, users and/or machines\
+ \ within a domain can also request and/or manually renew certificates from enterprise\
+ \ certificate authorities (CA). This enrollment process defines various settings\
+ \ and permissions associated with the certificate. Of note, the certificate\u2019\
+ s extended key usage (EKU) values define signing, encryption, and authentication\
+ \ use cases, while the certificate\u2019s subject alternative name (SAN) values\
+ \ define the certificate owner\u2019s alternate names.(Citation: Medium Certified\
+ \ Pre Owned)\n\nAbusing certificates for authentication credentials may enable\
+ \ other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008).\
+ \ Certificate-related misconfigurations may also enable opportunities for [Privilege\
+ \ Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users\
+ \ to impersonate or assume privileged accounts or permissions via the identities\
+ \ (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003)\
+ \ via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078)\
+ \ for the duration of the certificate's validity, despite user password resets.\
+ \ Authentication certificates can also be stolen and forged for machine accounts.\n\
+ \nAdversaries who have access to root (or subordinate) CA certificate private\
+ \ keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003)\
+ \ by forging arbitrary authentication certificates for the victim domain (known\
+ \ as \u201Cgolden\u201D certificates).(Citation: Medium Certified Pre Owned)\
+ \ Adversaries may also target certificates and related services in order to\
+ \ access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001)\
+ \ ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified\
+ \ Pre Owned)\nhttps://attack.mitre.org/techniques/T1649"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1049
+ name: T1049 - System Network Connections Discovery
+ provider: MITRE ATT&CK
+ description: "Adversaries may attempt to get a listing of network connections\
+ \ to or from the compromised system they are currently accessing or from remote\
+ \ systems by querying for information over the network. \n\nAn adversary who\
+ \ gains access to a system that is part of a cloud-based environment may map\
+ \ out Virtual Private Clouds or Virtual Networks in order to determine what\
+ \ systems and services are connected. The actions performed are likely the same\
+ \ types of discovery techniques depending on the operating system, but the resulting\
+ \ information may include details about the networked cloud environment relevant\
+ \ to the adversary's goals. Cloud providers may have different ways in which\
+ \ their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation:\
+ \ Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly,\
+ \ adversaries who gain access to network devices may also perform similar discovery\
+ \ activities to gather information about connected systems and services.\n\n\
+ Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104),\
+ \ \"net use,\" and \"net session\" with [Net](https://attack.mitre.org/software/S0039).\
+ \ In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof
\
+ \ can be used to list current connections. who -a
and w
\
+ \ can be used to show which users are currently logged in, similar to \"net\
+ \ session\". Additionally, built-in features native to network devices and [Network\
+ \ Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g.\
+ \ show ip sockets
, show tcp brief
).(Citation: US-CERT-TA18-106A)\n\
+ https://attack.mitre.org/techniques/T1049"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1584
+ name: T1584 - Compromise Infrastructure
+ provider: MITRE ATT&CK
+ description: 'Adversaries may compromise third-party infrastructure that can be
+ used during targeting. Infrastructure solutions include physical or cloud servers,
+ domains, and third-party web and DNS services. Instead of buying, leasing, or
+ renting infrastructure an adversary may compromise infrastructure and use it
+ during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation:
+ ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye
+ EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines
+ to form a botnet they can leverage.
+
+
+ Use of compromised infrastructure allows adversaries to stage, launch, and execute
+ operations. Compromised infrastructure can help adversary operations blend in
+ with traffic that is seen as normal, such as contact with high reputation or
+ trusted sites. For example, adversaries may leverage compromised infrastructure
+ (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004))
+ to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566)
+ campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may
+ also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090)
+ and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)
+
+
+ By using compromised infrastructure, adversaries may make it difficult to tie
+ their actions back to them. Prior to targeting, adversaries may compromise the
+ infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)
+
+ https://attack.mitre.org/techniques/T1584'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1542
+ name: T1542 - Pre-OS Boot
+ provider: MITRE ATT&CK
+ description: 'Adversaries may abuse Pre-OS Boot mechanisms as a way to establish
+ persistence on a system. During the booting process of a computer, firmware
+ and various startup services are loaded before the operating system. These programs
+ control flow of execution before the operating system takes control.(Citation:
+ Wikipedia Booting)
+
+
+ Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic
+ Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to
+ persist on systems at a layer below the operating system. This can be particularly
+ difficult to detect as malware at this level will not be detected by host software-based
+ defenses.
+
+ https://attack.mitre.org/techniques/T1542'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1612
+ name: T1612 - Build Image on Host
+ provider: MITRE ATT&CK
+ description: "Adversaries may build a container image directly on a host to bypass\
+ \ defenses that monitor for the retrieval of malicious images from a public\
+ \ registry. A remote build
request may be sent to the Docker API\
+ \ that includes a Dockerfile that pulls a vanilla base image, such as alpine,\
+ \ from a public or local registry and then builds a custom image upon it.(Citation:\
+ \ Docker Build Image)\n\nAn adversary may take advantage of that build
\
+ \ API to build a custom image on the host that includes malware downloaded from\
+ \ their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610)\
+ \ using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua\
+ \ Security Cloud Native Threat Report June 2021) If the base image is pulled\
+ \ from a public registry, defenses will likely not detect the image as malicious\
+ \ since it\u2019s a vanilla image. If the base image already resides in a local\
+ \ registry, the pull may be considered even less suspicious since the image\
+ \ is already in the environment.\nhttps://attack.mitre.org/techniques/T1612"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1586
+ name: T1586 - Compromise Accounts
+ provider: MITRE ATT&CK
+ description: "Adversaries may compromise accounts with services that can be used\
+ \ during targeting. For operations incorporating social engineering, the utilization\
+ \ of an online persona may be important. Rather than creating and cultivating\
+ \ accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)),\
+ \ adversaries may compromise existing accounts. Utilizing an existing persona\
+ \ may engender a level of trust in a potential victim if they have a relationship,\
+ \ or knowledge of, the compromised persona. \n\nA variety of methods exist for\
+ \ compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598),\
+ \ purchasing credentials from third-party sites, brute forcing credentials (ex:\
+ \ password reuse from breach credential dumps), or paying employees, suppliers\
+ \ or business partners for access to credentials.(Citation: AnonHBGary)(Citation:\
+ \ Microsoft DEV-0537) Prior to compromising accounts, adversaries may conduct\
+ \ Reconnaissance to inform decisions about which accounts to compromise to further\
+ \ their operation.\n\nPersonas may exist on a single site or across multiple\
+ \ sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts\
+ \ may require additional development, this could include filling out or modifying\
+ \ profile information, further developing social networks, or incorporating\
+ \ photos.\n\nAdversaries may directly leverage compromised email accounts for\
+ \ [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).\n\
+ https://attack.mitre.org/techniques/T1586"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1497
+ name: T1497 - Virtualization/Sandbox Evasion
+ provider: MITRE ATT&CK
+ description: 'Adversaries may employ various means to detect and avoid virtualization
+ and analysis environments. This may include changing behaviors based on the
+ results of checks for the presence of artifacts indicative of a virtual machine
+ environment (VME) or sandbox. If the adversary detects a VME, they may alter
+ their malware to disengage from the victim or conceal the core functions of
+ the implant. They may also search for VME artifacts before dropping secondary
+ or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox
+ Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery
+ to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
+
+
+ Adversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
+ such as checking for security monitoring tools (e.g., Sysinternals, Wireshark,
+ etc.) or other system artifacts associated with analysis or virtualization.
+ Adversaries may also check for legitimate user activity to help determine if
+ it is in an analysis environment. Additional methods include use of sleep timers
+ or loops within malware code to avoid operating within a temporary sandbox.(Citation:
+ Unit 42 Pirpi July 2015)
+
+ https://attack.mitre.org/techniques/T1497'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1102
+ name: T1102 - Web Service
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use an existing, legitimate external Web service
+ as a means for relaying data to/from a compromised system. Popular websites
+ and social media acting as a mechanism for C2 may give a significant amount
+ of cover due to the likelihood that hosts within a network are already communicating
+ with them prior to a compromise. Using common services, such as those offered
+ by Google or Twitter, makes it easier for adversaries to hide in expected noise.
+ Web service providers commonly use SSL/TLS encryption, giving adversaries an
+ added level of protection.
+
+
+ Use of Web services may also protect back-end C2 infrastructure from discovery
+ through malware binary analysis while also enabling operational resiliency (since
+ this infrastructure may be dynamically changed).
+
+ https://attack.mitre.org/techniques/T1102'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1608
+ name: T1608 - Stage Capabilities
+ provider: MITRE ATT&CK
+ description: 'Adversaries may upload, install, or otherwise set up capabilities
+ that can be used during targeting. To support their operations, an adversary
+ may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587))
+ or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588))
+ and stage them on infrastructure under their control. These capabilities may
+ be staged on infrastructure that was previously purchased/rented by the adversary
+ ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was
+ otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).
+ Capabilities may also be staged on web services, such as GitHub or Pastebin,
+ or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision
+ applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos
+ Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope
+ GCP Redirection)(Citation: Netskope Cloud Phishing)
+
+
+ Staging of capabilities can aid the adversary in a number of initial access
+ and post-compromise behaviors, including (but not limited to):
+
+
+ * Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)
+ when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation:
+ Gallagher 2015)(Citation: ATT ScanBox)
+
+ * Staging web resources for a link target to be used with spearphishing.(Citation:
+ Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September
+ 2019)
+
+ * Uploading malware or tools to a location accessible to a victim network to
+ enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation:
+ Volexity Ocean Lotus November 2020)
+
+ * Installing a previously acquired SSL/TLS certificate to use to encrypt command
+ and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002)
+ with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation:
+ DigiCert Install SSL Cert)
+
+ https://attack.mitre.org/techniques/T1608'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1104
+ name: T1104 - Multi-Stage Channels
+ provider: MITRE ATT&CK
+ description: 'Adversaries may create multiple stages for command and control that
+ are employed under different conditions or for certain functions. Use of multiple
+ stages may obfuscate the command and control channel to make detection more
+ difficult.
+
+
+ Remote access tools will call back to the first-stage command and control server
+ for instructions. The first stage may have automated capabilities to collect
+ basic host information, update tools, and upload additional files. A second
+ remote access tool (RAT) could be uploaded at that point to redirect the host
+ to the second-stage command and control server. The second stage will likely
+ be more fully featured and allow the adversary to interact with the system through
+ a reverse shell and additional RAT features.
+
+
+ The different stages will likely be hosted separately with no overlapping infrastructure.
+ The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008)
+ in case the original first-stage communication path is discovered and blocked.
+
+ https://attack.mitre.org/techniques/T1104'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1657
+ name: T1657 - Financial Theft
+ provider: MITRE ATT&CK
+ description: "Adversaries may steal monetary resources from targets through extortion,\
+ \ social engineering, technical theft, or other methods aimed at their own financial\
+ \ gain at the expense of the availability of these resources for victims. Financial\
+ \ theft is the ultimate objective of several popular campaign types including\
+ \ extortion by ransomware,(Citation: FBI-ransomware) business email compromise\
+ \ (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig\
+ \ butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency\
+ \ networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586)\
+ \ to conduct unauthorized transfers of funds.(Citation: Internet crime report\
+ \ 2022) In the case of business email compromise or email fraud, an adversary\
+ \ may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of\
+ \ a trusted entity. Once the social engineering is successful, victims can be\
+ \ deceived into sending money to financial accounts controlled by an adversary.(Citation:\
+ \ FBI-BEC) This creates the potential for multiple victims (i.e., compromised\
+ \ accounts as well as the ultimate monetary loss) in incidents involving financial\
+ \ theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when\
+ \ an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486)\
+ \ (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010)\
+ \ of data, followed by threatening public exposure unless payment is made to\
+ \ the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense\
+ \ business impact of financial theft, an adversary may abuse the possibility\
+ \ of financial theft and seeking monetary gain to divert attention from their\
+ \ true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485)\
+ \ and business disruption.(Citation: AP-NotPetya)\nhttps://attack.mitre.org/techniques/T1657"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1480
+ name: T1480 - Execution Guardrails
+ provider: MITRE ATT&CK
+ description: "Adversaries may use execution guardrails to constrain execution\
+ \ or actions based on adversary supplied and environment specific conditions\
+ \ that are expected to be present on the target. Guardrails ensure that a payload\
+ \ only executes against an intended target and reduces collateral damage from\
+ \ an adversary\u2019s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values\
+ \ an adversary can provide about a target system or environment to use as guardrails\
+ \ may include specific network share names, attached physical devices, files,\
+ \ joined Active Directory (AD) domains, and local/external IP addresses.(Citation:\
+ \ FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of\
+ \ capabilities in environments that are not intended to be compromised or operated\
+ \ within. This use of guardrails is distinct from typical [Virtualization/Sandbox\
+ \ Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox\
+ \ Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for\
+ \ known sandbox values and continuing with execution only if there is no match,\
+ \ the use of guardrails will involve checking for an expected target-specific\
+ \ value and only continuing with execution if there is such a match.\nhttps://attack.mitre.org/techniques/T1480"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1619
+ name: T1619 - Cloud Storage Object Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may enumerate objects in cloud storage infrastructure.
+ Adversaries may use this information during automated discovery to shape follow-on
+ behaviors, including requesting all or specific objects from cloud storage. Similar
+ to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)
+ on a local host, after identifying available storage services (i.e. [Cloud Infrastructure
+ Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access
+ the contents/objects stored in cloud infrastructure.
+
+
+ Cloud service providers offer APIs allowing users to enumerate objects stored
+ within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2)
+ and List Blobs in Azure(Citation: List Blobs) .
+
+ https://attack.mitre.org/techniques/T1619'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1654
+ name: T1654 - Log Enumeration
+ provider: MITRE ATT&CK
+ description: "Adversaries may enumerate system and service logs to find useful\
+ \ data. These logs may highlight various types of valuable insights for an adversary,\
+ \ such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)),\
+ \ security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)),\
+ \ or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).\n\
+ \nHost binaries may be leveraged to collect system logs. Examples include using\
+ \ `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001)\
+ \ on Windows to access and/or export security event information.(Citation: WithSecure\
+ \ Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges\
+ \ as novel threat actor) In cloud environments, adversaries may leverage utilities\
+ \ such as the Azure VM Agent\u2019s `CollectGuestLogs.exe` to collect security\
+ \ logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of\
+ \ the Microsoft Azure Serial Console)\n\nAdversaries may also target centralized\
+ \ logging infrastructure such as SIEMs. Logs may also be bulk exported and sent\
+ \ to adversary-controlled infrastructure for offline analysis.\nhttps://attack.mitre.org/techniques/T1654"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1528
+ name: T1528 - Steal Application Access Token
+ provider: MITRE ATT&CK
+ description: "Adversaries can steal application access tokens as a means of acquiring\
+ \ credentials to access remote systems and resources.\n\nApplication access\
+ \ tokens are used to make authorized API requests on behalf of a user or service\
+ \ and are commonly used as a way to access resources in cloud and container-based\
+ \ applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should\
+ \ Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented\
+ \ framework that issues tokens to users for access to systems. Adversaries who\
+ \ steal account API tokens in cloud and containerized environments may be able\
+ \ to access data and perform actions with the permissions of these accounts,\
+ \ which can lead to privilege escalation and further compromise of the environment.\n\
+ \nIn Kubernetes environments, processes running inside a container communicate\
+ \ with the Kubernetes API server using service account tokens. If a container\
+ \ is compromised, an attacker may be able to steal the container\u2019s token\
+ \ and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service\
+ \ Accounts)\n\nToken theft can also occur through social engineering, in which\
+ \ case user action may be required to grant access. An application desiring\
+ \ access to cloud-based services or protected APIs can gain entry using OAuth\
+ \ 2.0 through a variety of authorization protocols. An example commonly-used\
+ \ sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft\
+ \ Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization\
+ \ flow - June 2019) An OAuth access token enables a third-party application\
+ \ to interact with resources containing user data in the ways requested by the\
+ \ application without obtaining user credentials. \n \nAdversaries can leverage\
+ \ OAuth authorization by constructing a malicious application designed to be\
+ \ granted access to resources with the target user's OAuth token.(Citation:\
+ \ Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm\
+ \ OAuth 2017) The adversary will need to complete registration of their application\
+ \ with the authorization server, for example Microsoft Identity Platform using\
+ \ Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell,\
+ \ or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019)\
+ \ Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)\
+ \ to the target user to entice them to grant access to the application. Once\
+ \ the OAuth access token is granted, the application can gain potentially long-term\
+ \ access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation:\
+ \ Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nApplication access tokens\
+ \ may function within a limited lifetime, limiting how long an adversary can\
+ \ utilize the stolen token. However, in some cases, adversaries can also steal\
+ \ application refresh tokens(Citation: Auth0 Understanding Refresh Tokens),\
+ \ allowing them to obtain new access tokens without prompting the user.\nhttps://attack.mitre.org/techniques/T1528"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1204
+ name: T1204 - User Execution
+ provider: MITRE ATT&CK
+ description: 'An adversary may rely upon specific actions by a user in order to
+ gain execution. Users may be subjected to social engineering to get them to
+ execute malicious code by, for example, opening a malicious document file or
+ link. These user actions will typically be observed as follow-on behavior from
+ forms of [Phishing](https://attack.mitre.org/techniques/T1566).
+
+
+ While [User Execution](https://attack.mitre.org/techniques/T1204) frequently
+ occurs shortly after Initial Access it may occur at other phases of an intrusion,
+ such as when an adversary places a file in a shared directory or on a user''s
+ desktop hoping that a user will click on it. This activity may also be seen
+ shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
+
+
+ Adversaries may also deceive users into performing actions such as enabling
+ [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing
+ direct control of the system to the adversary, or downloading and executing
+ malware for [User Execution](https://attack.mitre.org/techniques/T1204). For
+ example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566),
+ vishing, or various forms of user interaction. Adversaries can use a combination
+ of these methods, such as spoofing and promoting toll-free numbers or call centers
+ that are used to direct victims to malicious websites, to deliver and execute
+ payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation:
+ Telephone Attack Delivery)
+
+ https://attack.mitre.org/techniques/T1204'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1057
+ name: T1057 - Process Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to get information about running processes
+ on a system. Information obtained could be used to gain an understanding of
+ common software/applications running on systems within the network. Adversaries
+ may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057)
+ during automated discovery to shape follow-on behaviors, including whether or
+ not the adversary fully infects the target and/or attempts specific actions.
+
+
+ In Windows environments, adversaries could obtain details on running processes
+ using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106)
+ or Get-Process
via [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+ Information about processes can also be extracted from the output of [Native
+ API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot
.
+ In Mac and Linux, this is accomplished with the ps
command. Adversaries
+ may also opt to enumerate processes via /proc.
+
+
+ On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+ commands such as `show processes` can be used to display current running processes.(Citation:
+ US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
+
+ https://attack.mitre.org/techniques/T1057'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1072
+ name: T1072 - Software Deployment Tools
+ provider: MITRE ATT&CK
+ description: "Adversaries may gain access to and use third-party software suites\
+ \ installed within an enterprise network, such as administration, monitoring,\
+ \ and deployment systems, to move laterally through the network. Third-party\
+ \ applications and software deployment systems may be in use in the network\
+ \ environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\
+ \ \n\nAccess to a third-party network-wide or enterprise-wide software system\
+ \ may enable an adversary to have remote code execution on all systems that\
+ \ are connected to such a system. The access may be used to laterally move to\
+ \ other systems, gather information, or cause a specific effect, such as wiping\
+ \ the hard drives on all endpoints. Network infrastructure may also have administration\
+ \ tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day\
+ \ and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\
+ \nThe permissions required for this action vary by system configuration; local\
+ \ credentials may be sufficient with direct access to the third-party system,\
+ \ or specific domain credentials may be required. However, the system may require\
+ \ an administrative account to log in or to perform it's intended purpose.\n\
+ https://attack.mitre.org/techniques/T1072"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1041
+ name: T1041 - Exfiltration Over C2 Channel
+ provider: MITRE ATT&CK
+ description: 'Adversaries may steal data by exfiltrating it over an existing command
+ and control channel. Stolen data is encoded into the normal communications channel
+ using the same protocol as command and control communications.
+
+ https://attack.mitre.org/techniques/T1041'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1591
+ name: T1591 - Gather Victim Org Information
+ provider: MITRE ATT&CK
+ description: 'Adversaries may gather information about the victim''s organization
+ that can be used during targeting. Information about an organization may include
+ a variety of details, including the names of divisions/departments, specifics
+ of business operations, as well as the roles and responsibilities of key employees.
+
+
+ Adversaries may gather this information in various ways, such as direct elicitation
+ via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information
+ about an organization may also be exposed to adversaries via online or other
+ accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001)
+ or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation:
+ ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information
+ may reveal opportunities for other forms of reconnaissance (ex: [Phishing for
+ Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)),
+ establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+ or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+ initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or
+ [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+
+ https://attack.mitre.org/techniques/T1591'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1606
+ name: T1606 - Forge Web Credentials
+ provider: MITRE ATT&CK
+ description: 'Adversaries may forge credential materials that can be used to gain
+ access to web applications or Internet services. Web applications and services
+ (hosted in cloud SaaS environments or on-premise servers) often use session
+ cookies, tokens, or other materials to authenticate and authorize user access.
+
+
+ Adversaries may generate these credential materials in order to gain access
+ to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539),
+ [Steal Application Access Token](https://attack.mitre.org/techniques/T1528),
+ and other similar behaviors in that the credentials are new and forged by the
+ adversary, rather than stolen or intercepted from legitimate users.
+
+
+ The generation of web credentials often requires secret values, such as passwords,
+ [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic
+ seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may
+ also forge tokens by taking advantage of features such as the `AssumeRole` and
+ `GetFederationToken` APIs in AWS, which allow users to request temporary security
+ credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)),
+ or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication
+ key that can be used to generate tokens for any user in the domain.(Citation:
+ AWS Temporary Security Credentials)(Citation: Zimbra Preauth)
+
+
+ Once forged, adversaries may use these web credentials to access resources (ex:
+ [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)),
+ which may bypass multi-factor and other authentication protection mechanisms.(Citation:
+ Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation:
+ Microsoft SolarWinds Customer Guidance)
+
+ https://attack.mitre.org/techniques/T1606'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1621
+ name: T1621 - Multi-Factor Authentication Request Generation
+ provider: MITRE ATT&CK
+ description: "Adversaries may attempt to bypass multi-factor authentication (MFA)\
+ \ mechanisms and gain access to accounts by generating MFA requests sent to\
+ \ users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078)\
+ \ may be unable to complete the login process if they lack access to the 2FA\
+ \ or MFA mechanisms required as an additional credential and security control.\
+ \ To circumvent this, adversaries may abuse the automatic generation of push\
+ \ notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta,\
+ \ or similar services to have the user grant access to their account.\n\nIn\
+ \ some cases, adversaries may continuously repeat login attempts in order to\
+ \ bombard users with MFA push notifications, SMS messages, and phone calls,\
+ \ potentially resulting in the user finally accepting the authentication request\
+ \ in response to \u201CMFA fatigue.\u201D(Citation: Russian 2FA Push Annoyance\
+ \ - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected\
+ \ Russian Activity Targeting Government and Business Entities Around the Globe)\n\
+ https://attack.mitre.org/techniques/T1621"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1554
+ name: T1554 - Compromise Client Software Binary
+ provider: MITRE ATT&CK
+ description: "Adversaries may modify client software binaries to establish persistent\
+ \ access to systems. Client software enables users to access services provided\
+ \ by a server. Common client software types are SSH clients, FTP clients, email\
+ \ clients, and web browsers.\n\nAdversaries may make modifications to client\
+ \ software binaries to carry out malicious tasks when those applications are\
+ \ in use. For example, an adversary may copy source code for the client software,\
+ \ add a backdoor, compile for the target, and replace the legitimate application\
+ \ binary (or support files) with the backdoored one. An adversary may also modify\
+ \ an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry\
+ \ point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the\
+ \ binary\u2019s legitimate execution. For example, an adversary may modify the\
+ \ entry point of a binary to point to malicious code patched in by the adversary\
+ \ before resuming normal execution flow.(Citation: ESET FontOnLake Analysis\
+ \ 2021)\n\nSince these applications may be routinely executed by the user, the\
+ \ adversary can leverage this for persistent access to the host.\nhttps://attack.mitre.org/techniques/T1554"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1212
+ name: T1212 - Exploitation for Credential Access
+ provider: MITRE ATT&CK
+ description: "Adversaries may exploit software vulnerabilities in an attempt to\
+ \ collect credentials. Exploitation of a software vulnerability occurs when\
+ \ an adversary takes advantage of a programming error in a program, service,\
+ \ or within the operating system software or kernel itself to execute adversary-controlled\
+ \ code.\_\n\nCredentialing and authentication mechanisms may be targeted for\
+ \ exploitation by adversaries as a means to gain access to useful credentials\
+ \ or circumvent the process to gain authenticated access to systems. One example\
+ \ of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos\
+ \ tickets using domain user permissions.(Citation: Technet MS14-068)(Citation:\
+ \ ADSecurity Detecting Forged Tickets) Another example of this is replay attacks,\
+ \ in which the adversary intercepts data packets sent between parties and then\
+ \ later replays these packets. If services don't properly validate authentication\
+ \ requests, these replayed packets may allow an adversary to impersonate one\
+ \ of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd\
+ \ Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight\
+ \ Blizzard Replay Attack)\n\nSuch exploitation has been demonstrated in cloud\
+ \ environments as well. For example, adversaries have exploited vulnerabilities\
+ \ in public cloud infrastructure that allowed for unintended authentication\
+ \ token creation and renewal.(Citation: Storm-0558 techniques for unauthorized\
+ \ email access)\n\nExploitation for credential access may also result in Privilege\
+ \ Escalation depending on the process targeted or credentials obtained.\nhttps://attack.mitre.org/techniques/T1212"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1590
+ name: T1590 - Gather Victim Network Information
+ provider: MITRE ATT&CK
+ description: 'Adversaries may gather information about the victim''s networks
+ that can be used during targeting. Information about networks may include a
+ variety of details, including administrative data (ex: IP ranges, domain names,
+ etc.) as well as specifics regarding its topology and operations.
+
+
+ Adversaries may gather this information in various ways, such as direct collection
+ actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or
+ [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information
+ about networks may also be exposed to adversaries via online or other accessible
+ data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation:
+ WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information
+ may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595)
+ or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)),
+ establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)
+ or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)),
+ and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+
+ https://attack.mitre.org/techniques/T1590'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1210
+ name: T1210 - Exploitation of Remote Services
+ provider: MITRE ATT&CK
+ description: "Adversaries may exploit remote services to gain unauthorized access\
+ \ to internal systems once inside of a network. Exploitation of a software vulnerability\
+ \ occurs when an adversary takes advantage of a programming error in a program,\
+ \ service, or within the operating system software or kernel itself to execute\
+ \ adversary-controlled code.\_A common goal for post-compromise exploitation\
+ \ of remote services is for lateral movement to enable access to a remote system.\n\
+ \nAn adversary may need to determine if the remote system is in a vulnerable\
+ \ state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046)\
+ \ or other Discovery methods looking for common, vulnerable software that may\
+ \ be deployed in the network, the lack of certain patches that may indicate\
+ \ vulnerabilities, or security software that may be used to detect or contain\
+ \ remote exploitation. Servers are likely a high value target for lateral movement\
+ \ exploitation, but endpoint systems may also be at risk if they provide an\
+ \ advantage or access to additional resources.\n\nThere are several well-known\
+ \ vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple\
+ \ SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications\
+ \ that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662)\
+ \ and web server services.(Citation: NVD CVE-2014-7169)\n\nDepending on the\
+ \ permissions level of the vulnerable remote service an adversary may achieve\
+ \ [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)\
+ \ as a result of lateral movement exploitation as well.\nhttps://attack.mitre.org/techniques/T1210"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1534
+ name: T1534 - Internal Spearphishing
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use internal spearphishing to gain access to additional
+ information or exploit other users within the same organization after they already
+ have access to accounts or systems within the environment. Internal spearphishing
+ is multi-staged campaign where an email account is owned either by controlling
+ the user''s device with previously installed malware or by compromising the
+ account credentials of the user. Adversaries attempt to take advantage of a
+ trusted internal account to increase the likelihood of tricking the target into
+ falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from
+ the Inside 2017)
+
+
+ Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)
+ or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part
+ of internal spearphishing to deliver a payload or redirect to an external site
+ to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056)
+ on sites that mimic email login interfaces.
+
+
+ There have been notable incidents where internal spearphishing has been used.
+ The Eye Pyramid campaign used phishing emails with malicious attachments for
+ lateral movement between victims, compromising nearly 18,000 email accounts
+ in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017)
+ The Syrian Electronic Army (SEA) compromised email accounts at the Financial
+ Times (FT) to steal additional account credentials. Once FT learned of the campaign
+ and began warning employees of the threat, the SEA sent phishing emails mimicking
+ the Financial Times IT department and were able to compromise even more users.(Citation:
+ THE FINANCIAL TIMES LTD 2019.)
+
+ https://attack.mitre.org/techniques/T1534'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1199
+ name: T1199 - Trusted Relationship
+ provider: MITRE ATT&CK
+ description: 'Adversaries may breach or otherwise leverage organizations who have
+ access to intended victims. Access through trusted third party relationship
+ abuses an existing connection that may not be protected or receives less scrutiny
+ than standard mechanisms of gaining access to a network.
+
+
+ Organizations often grant elevated access to second or third-party external
+ providers in order to allow them to manage internal systems as well as cloud-based
+ environments. Some examples of these relationships include IT services contractors,
+ managed security providers, infrastructure contractors (e.g. HVAC, elevators,
+ physical security). The third-party provider''s access may be intended to be
+ limited to the infrastructure being maintained, but may exist on the same network
+ as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078)
+ used by the other party for access to internal network systems may be compromised
+ and used.(Citation: CISA IT Service Providers)
+
+
+ In Office 365 environments, organizations may grant Microsoft partners or resellers
+ delegated administrator permissions. By compromising a partner or reseller account,
+ an adversary may be able to leverage existing delegated administrator relationships
+ or send new delegated administrator offers to clients in order to gain administrative
+ control over the victim tenant.(Citation: Office 365 Delegated Administration)
+
+ https://attack.mitre.org/techniques/T1199'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1593
+ name: T1593 - Search Open Websites/Domains
+ provider: MITRE ATT&CK
+ description: 'Adversaries may search freely available websites and/or domains
+ for information about victims that can be used during targeting. Information
+ about victims may be available in various online sites, such as social media,
+ new sites, or those hosting information about business operations such as hiring
+ or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails
+ Google Hacking)(Citation: ExploitDB GoogleHacking)
+
+
+ Adversaries may search in different online sites depending on what information
+ they seek to gather. Information from these sources may reveal opportunities
+ for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+ or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+ establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+ or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+ initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
+ or [Phishing](https://attack.mitre.org/techniques/T1566)).
+
+ https://attack.mitre.org/techniques/T1593'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1098
+ name: T1098 - Account Manipulation
+ provider: MITRE ATT&CK
+ description: "Adversaries may manipulate accounts to maintain and/or elevate access\
+ \ to victim systems. Account manipulation may consist of any action that preserves\
+ \ or modifies adversary access to a compromised account, such as modifying credentials\
+ \ or permission groups. These actions could also include account activity designed\
+ \ to subvert security policies, such as performing iterative password updates\
+ \ to bypass password duration policies and preserve the life of compromised\
+ \ credentials. \n\nIn order to create or manipulate accounts, the adversary\
+ \ must already have sufficient permissions on systems or the domain. However,\
+ \ account manipulation may also lead to privilege escalation where modifications\
+ \ grant access to additional roles, permissions, or higher-privileged [Valid\
+ \ Accounts](https://attack.mitre.org/techniques/T1078).\nhttps://attack.mitre.org/techniques/T1098"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1048
+ name: T1048 - Exfiltration Over Alternative Protocol
+ provider: MITRE ATT&CK
+ description: "Adversaries may steal data by exfiltrating it over a different protocol\
+ \ than that of the existing command and control channel. The data may also be\
+ \ sent to an alternate network location from the main command and control server.\
+ \ \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other\
+ \ network protocol not being used as the main command and control channel. Adversaries\
+ \ may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration\
+ \ Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can\
+ \ be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB\
+ \ or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl
\
+ \ may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data\
+ \ from a system.(Citation: 20 macOS Common Tools and Techniques)\n\nMany IaaS\
+ \ and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub,\
+ \ and AWS S3) support the direct download of files, emails, source code, and\
+ \ other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).\n\
+ https://attack.mitre.org/techniques/T1048"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1597
+ name: T1597 - Search Closed Sources
+ provider: MITRE ATT&CK
+ description: 'Adversaries may search and gather information about victims from
+ closed sources that can be used during targeting. Information about victims
+ may be available for purchase from reputable private sources and databases,
+ such as paid subscriptions to feeds of technical/threat intelligence data.(Citation:
+ D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable
+ sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling
+ Data)
+
+
+ Adversaries may search in different closed databases depending on what information
+ they seek to gather. Information from these sources may reveal opportunities
+ for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+ or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)),
+ establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587)
+ or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or
+ initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
+ or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
+
+ https://attack.mitre.org/techniques/T1597'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1566
+ name: T1566 - Phishing
+ provider: MITRE ATT&CK
+ description: "Adversaries may send phishing messages to gain access to victim\
+ \ systems. All forms of phishing are electronically delivered social engineering.\
+ \ Phishing can be targeted, known as spearphishing. In spearphishing, a specific\
+ \ individual, company, or industry will be targeted by the adversary. More generally,\
+ \ adversaries can conduct non-targeted phishing, such as in mass malware spam\
+ \ campaigns.\n\nAdversaries may send victims emails containing malicious attachments\
+ \ or links, typically to execute malicious code on victim systems. Phishing\
+ \ may also be conducted via third-party services, like social media platforms.\
+ \ Phishing may also involve social engineering techniques, such as posing as\
+ \ a trusted source, as well as evasive techniques such as removing or manipulating\
+ \ emails or metadata/headers from compromised accounts being abused to send\
+ \ messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:\
+ \ Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)\
+ \ Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)\
+ \ the identity of the sender which can be used to fool both the human recipient\
+ \ as well as automated security tools.(Citation: cyberproof-double-bounce) \n\
+ \nVictims may also receive phishing messages that instruct them to call a phone\
+ \ number where they are directed to visit a malicious URL, download malware,(Citation:\
+ \ sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)\
+ \ or install adversary-accessible remote management tools onto their computer\
+ \ (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:\
+ \ Unit42 Luna Moth)\nhttps://attack.mitre.org/techniques/T1566"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1110
+ name: T1110 - Brute Force
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use brute force techniques to gain access to accounts
+ when passwords are unknown or when password hashes are obtained. Without knowledge
+ of the password for an account or set of accounts, an adversary may systematically
+ guess the password using a repetitive or iterative mechanism. Brute forcing
+ passwords can take place via interaction with a service that will check the
+ validity of those credentials or offline against previously acquired credential
+ data, such as password hashes.
+
+
+ Brute forcing credentials may take place at various points during a breach.
+ For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078)
+ within a victim environment leveraging knowledge gathered from other post-compromise
+ behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003),
+ [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password
+ Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may
+ also combine brute forcing activity with behaviors such as [External Remote
+ Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.
+
+ https://attack.mitre.org/techniques/T1110'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1565
+ name: T1565 - Data Manipulation
+ provider: MITRE ATT&CK
+ description: 'Adversaries may insert, delete, or manipulate data in order to influence
+ external outcomes or hide activity, thus threatening the integrity of the data.
+ By manipulating data, adversaries may attempt to affect a business process,
+ organizational understanding, or decision making.
+
+
+ The type of modification and the impact it will have depends on the target application
+ and process as well as the goals and objectives of the adversary. For complex
+ systems, an adversary would likely need special expertise and possibly access
+ to specialized software related to the system that would typically be gained
+ through a prolonged information gathering campaign in order to have the desired
+ impact.
+
+ https://attack.mitre.org/techniques/T1565'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1559
+ name: T1559 - Inter-Process Communication
+ provider: MITRE ATT&CK
+ description: "Adversaries may abuse inter-process communication (IPC) mechanisms\
+ \ for local code or command execution. IPC is typically used by processes to\
+ \ share data, communicate with each other, or synchronize execution. IPC is\
+ \ also commonly used to avoid situations such as deadlocks, which occurs when\
+ \ processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse\
+ \ IPC to execute arbitrary code or commands. IPC mechanisms may differ depending\
+ \ on OS, but typically exists in a form accessible through programming languages/libraries\
+ \ or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002)\
+ \ or [Component Object Model](https://attack.mitre.org/techniques/T1559/001).\
+ \ Linux environments support several different IPC mechanisms, two of which\
+ \ being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums,\
+ \ such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s,\
+ \ may also leverage underlying IPC mechanisms. Adversaries may also use [Remote\
+ \ Services](https://attack.mitre.org/techniques/T1021) such as [Distributed\
+ \ Component Object Model](https://attack.mitre.org/techniques/T1021/003) to\
+ \ facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)\n\
+ https://attack.mitre.org/techniques/T1559"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1001
+ name: T1001 - Data Obfuscation
+ provider: MITRE ATT&CK
+ description: 'Adversaries may obfuscate command and control traffic to make it
+ more difficult to detect. Command and control (C2) communications are hidden
+ (but not necessarily encrypted) in an attempt to make the content more difficult
+ to discover or decipher and to make the communication less conspicuous and hide
+ commands from being seen. This encompasses many methods, such as adding junk
+ data to protocol traffic, using steganography, or impersonating legitimate protocols.
+
+ https://attack.mitre.org/techniques/T1001'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1039
+ name: T1039 - Data from Network Shared Drive
+ provider: MITRE ATT&CK
+ description: 'Adversaries may search network shares on computers they have compromised
+ to find files of interest. Sensitive data can be collected from remote systems
+ via shared network drives (host shared directory, network file server, etc.)
+ that are accessible from the current system prior to Exfiltration. Interactive
+ command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106)
+ may be used to gather information.
+
+ https://attack.mitre.org/techniques/T1039'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1601
+ name: T1601 - Modify System Image
+ provider: MITRE ATT&CK
+ description: 'Adversaries may make changes to the operating system of embedded
+ network devices to weaken defenses and provide new capabilities for themselves. On
+ such devices, the operating systems are typically monolithic and most of the
+ device functionality and capabilities are contained within a single file.
+
+
+ To change the operating system, the adversary typically only needs to affect
+ this one file, replacing or modifying it. This can either be done live in memory
+ during system runtime for immediate effect, or in storage to implement the change
+ on the next boot of the network device.
+
+ https://attack.mitre.org/techniques/T1601'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1574
+ name: T1574 - Hijack Execution Flow
+ provider: MITRE ATT&CK
+ description: 'Adversaries may execute their own malicious payloads by hijacking
+ the way operating systems run programs. Hijacking execution flow can be for
+ the purposes of persistence, since this hijacked execution may reoccur over
+ time. Adversaries may also use these mechanisms to elevate privileges or evade
+ defenses, such as application control or other restrictions on execution.
+
+
+ There are many ways an adversary may hijack the flow of execution, including
+ by manipulating how the operating system locates programs to be executed. How
+ the operating system locates libraries to be used by a program can also be intercepted.
+ Locations where the operating system looks for programs/resources, such as file
+ directories and in the case of Windows the Registry, could also be poisoned
+ to include malicious payloads.
+
+ https://attack.mitre.org/techniques/T1574'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1078
+ name: T1078 - Valid Accounts
+ provider: MITRE ATT&CK
+ description: 'Adversaries may obtain and abuse credentials of existing accounts
+ as a means of gaining Initial Access, Persistence, Privilege Escalation, or
+ Defense Evasion. Compromised credentials may be used to bypass access controls
+ placed on various resources on systems within the network and may even be used
+ for persistent access to remote systems and externally available services, such
+ as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation:
+ volexity_0day_sophos_FW) Compromised credentials may also grant an adversary
+ increased privilege to specific systems or access to restricted areas of the
+ network. Adversaries may choose not to use malware or tools in conjunction with
+ the legitimate access those credentials provide to make it harder to detect
+ their presence.
+
+
+ In some cases, adversaries may abuse inactive accounts: for example, those belonging
+ to individuals who are no longer part of an organization. Using these accounts
+ may allow the adversary to evade detection, as the original account user will
+ not be present to identify any anomalous activity taking place on their account.(Citation:
+ CISA MFA PrintNightmare)
+
+
+ The overlap of permissions for local, domain, and cloud accounts across a network
+ of systems is of concern because the adversary may be able to pivot across accounts
+ and systems to reach a high level of access (i.e., domain or enterprise administrator)
+ to bypass access controls set within the enterprise.(Citation: TechNet Credential
+ Theft)
+
+ https://attack.mitre.org/techniques/T1078'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1571
+ name: T1571 - Non-Standard Port
+ provider: MITRE ATT&CK
+ description: 'Adversaries may communicate using a protocol and port pairing that
+ are typically not associated. For example, HTTPS over port 8088(Citation: Symantec
+ Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed
+ to the traditional port 443. Adversaries may make changes to the standard port
+ used by a protocol to bypass filtering or muddle analysis/parsing of network
+ data.
+
+
+ Adversaries may also make changes to victim systems to abuse non-standard ports.
+ For example, Registry keys and other configuration settings can be used to modify
+ protocol and port pairings.(Citation: change_rdp_port_conti)
+
+ https://attack.mitre.org/techniques/T1571'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1068
+ name: T1068 - Exploitation for Privilege Escalation
+ provider: MITRE ATT&CK
+ description: 'Adversaries may exploit software vulnerabilities in an attempt to
+ elevate privileges. Exploitation of a software vulnerability occurs when an
+ adversary takes advantage of a programming error in a program, service, or within
+ the operating system software or kernel itself to execute adversary-controlled
+ code. Security constructs such as permission levels will often hinder access
+ to information and use of certain techniques, so adversaries will likely need
+ to perform privilege escalation to include use of software exploitation to circumvent
+ those restrictions.
+
+
+ When initially gaining access to a system, an adversary may be operating within
+ a lower privileged process which will prevent them from accessing certain resources
+ on the system. Vulnerabilities may exist, usually in operating system components
+ and software commonly running at higher permissions, that can be exploited to
+ gain higher levels of access on the system. This could enable someone to move
+ from unprivileged or user level permissions to SYSTEM or root permissions depending
+ on the component that is vulnerable. This could also enable an adversary to
+ move from a virtualized environment, such as within a virtual machine or container,
+ onto the underlying host. This may be a necessary step for an adversary compromising
+ an endpoint system that has been properly configured and limits other privilege
+ escalation methods.
+
+
+ Adversaries may bring a signed vulnerable driver onto a compromised machine
+ so that they can exploit the vulnerability to execute code in kernel mode. This
+ process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation:
+ ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may
+ include the vulnerable driver with files delivered during Initial Access or
+ download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)
+ or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).
+
+ https://attack.mitre.org/techniques/T1068'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1531
+ name: T1531 - Account Access Removal
+ provider: MITRE ATT&CK
+ description: "Adversaries may interrupt availability of system and network resources\
+ \ by inhibiting access to accounts utilized by legitimate users. Accounts may\
+ \ be deleted, locked, or manipulated (ex: changed credentials) to remove access\
+ \ to accounts. Adversaries may also subsequently log off and/or perform a [System\
+ \ Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious\
+ \ changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42\
+ \ LockerGoga 2019)\n\nIn Windows, [Net](https://attack.mitre.org/software/S0039)\
+ \ utility, Set-LocalUser
and Set-ADAccountPassword
\
+ \ [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be\
+ \ used by adversaries to modify user accounts. In Linux, the passwd
\
+ \ utility may be used to change passwords. Accounts could also be disabled by\
+ \ Group Policy. \n\nAdversaries who use ransomware or similar attacks may first\
+ \ perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485)\
+ \ and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede\
+ \ incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486)\
+ \ objective.\nhttps://attack.mitre.org/techniques/T1531"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1027
+ name: T1027 - Obfuscated Files or Information
+ provider: MITRE ATT&CK
+ description: "Adversaries may attempt to make an executable or file difficult\
+ \ to discover or analyze by encrypting, encoding, or otherwise obfuscating its\
+ \ contents on the system or in transit. This is common behavior that can be\
+ \ used across different platforms and the network to evade defenses. \n\nPayloads\
+ \ may be compressed, archived, or encrypted in order to avoid detection. These\
+ \ payloads may be used during Initial Access or later to mitigate detection.\
+ \ Sometimes a user's action may be required to open and [Deobfuscate/Decode\
+ \ Files or Information](https://attack.mitre.org/techniques/T1140) for [User\
+ \ Execution](https://attack.mitre.org/techniques/T1204). The user may also be\
+ \ required to input a password to open a password protected compressed/encrypted\
+ \ file that was provided by the adversary. (Citation: Volexity PowerDuke November\
+ \ 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.\
+ \ \n\nPortions of files can also be encoded to hide the plain-text strings that\
+ \ would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A\
+ \ We Live Security Analysis) Payloads may also be split into separate, seemingly\
+ \ benign files that only reveal malicious functionality when reassembled. (Citation:\
+ \ Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command\
+ \ Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands\
+ \ executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).\
+ \ Environment variables, aliases, characters, and other platform/language specific\
+ \ semantics can be used to evade signature based detections and application\
+ \ control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye\
+ \ Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)\n\
+ https://attack.mitre.org/techniques/T1027"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1201
+ name: T1201 - Password Policy Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to access detailed information about the
+ password policy used within an enterprise network or cloud environment. Password
+ policies are a way to enforce complex passwords that are difficult to guess
+ or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This
+ information may help the adversary to create a list of common passwords and
+ launch dictionary and/or brute force attacks which adheres to the policy (e.g.
+ if the minimum password length should be 8, then not trying passwords such as
+ ''pass123''; not checking for more than 3-4 passwords per account if the lockout
+ is set to 6 as to not lock out accounts).
+
+
+ Password policies can be set and discovered on Windows, Linux, and macOS systems
+ via various command shell utilities such as net accounts (/domain)
,
+ Get-ADDefaultDomainPasswordPolicy
, chage -l
,
+ cat /etc/pam.d/common-password
, and pwpolicy getaccountpolicies
+ (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password
+ Policies). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+ on network devices to discover password policy information (e.g. show
+ aaa
, show aaa common-criteria policy all
).(Citation: US-CERT-TA18-106A)
+
+
+ Password policies can be discovered in cloud environments using available APIs
+ such as GetAccountPasswordPolicy
in AWS (Citation: AWS GetPasswordPolicy).
+
+ https://attack.mitre.org/techniques/T1201'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1546
+ name: T1546 - Event Triggered Execution
+ provider: MITRE ATT&CK
+ description: 'Adversaries may establish persistence and/or elevate privileges
+ using system mechanisms that trigger execution based on specific events. Various
+ operating systems have means to monitor and subscribe to events such as logons
+ or other user activity such as running specific applications/binaries. Cloud
+ environments may also support various functions and services that monitor and
+ can be invoked in response to specific cloud events.(Citation: Backdooring an
+ AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft
+ DART Case Report 001)
+
+
+ Adversaries may abuse these mechanisms as a means of maintaining persistent
+ access to a victim via repeatedly executing malicious code. After gaining access
+ to a victim system, adversaries may create/modify event triggers to point to
+ malicious content that will be executed whenever the event trigger is invoked.(Citation:
+ FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)
+
+
+ Since the execution can be proxied by an account with higher permissions, such
+ as SYSTEM or service accounts, an adversary may be able to abuse these triggered
+ execution mechanisms to escalate their privileges.
+
+ https://attack.mitre.org/techniques/T1546'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1187
+ name: T1187 - Forced Authentication
+ provider: MITRE ATT&CK
+ description: 'Adversaries may gather credential material by invoking or forcing
+ a user to automatically provide authentication information through a mechanism
+ in which they can intercept.
+
+
+ The Server Message Block (SMB) protocol is commonly used in Windows networks
+ for authentication and communication between systems for access to resources
+ and file sharing. When a Windows system attempts to connect to an SMB resource
+ it will automatically attempt to authenticate and send credential information
+ for the current user to the remote system. (Citation: Wikipedia Server Message
+ Block) This behavior is typical in enterprise environments so that users do
+ not need to enter credentials to access network resources.
+
+
+ Web Distributed Authoring and Versioning (WebDAV) is also typically used by
+ Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is
+ an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation:
+ Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)
+
+
+ Adversaries may take advantage of this behavior to gain access to user account
+ hashes through forced SMB/WebDAV authentication. An adversary can send an attachment
+ to a user through spearphishing that contains a resource link to an external
+ server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)),
+ or place a specially crafted file on navigation path for privileged accounts
+ (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed
+ by victim(s). When the user''s system accesses the untrusted resource it will
+ attempt authentication and send information, including the user''s hashed credentials,
+ over SMB to the adversary controlled server. (Citation: GitHub Hashjacking)
+ With access to the credential hash, an adversary can perform off-line [Brute
+ Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to
+ plaintext credentials. (Citation: Cylance Redirect to SMB)
+
+
+ There are several different ways this can occur. (Citation: Osanda Stealing
+ NetNTLM Hashes) Some specifics from in-the-wild use include:
+
+
+ * A spearphishing attachment containing a document with a resource that is automatically
+ loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)).
+ The document can include, for example, a request similar to file[:]//[remote
+ address]/Normal.dotm
to trigger the SMB request. (Citation: US-CERT APT
+ Energy Oct 2017)
+
+ * A modified .LNK or .SCF file with the icon filename pointing to an external
+ reference such as \\[remote address]\pic.png
that will force the
+ system to load the resource when the icon is rendered to repeatedly gather credentials.
+ (Citation: US-CERT APT Energy Oct 2017)
+
+ https://attack.mitre.org/techniques/T1187'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1599
+ name: T1599 - Network Boundary Bridging
+ provider: MITRE ATT&CK
+ description: 'Adversaries may bridge network boundaries by compromising perimeter
+ network devices or internal devices responsible for network segmentation. Breaching
+ these devices may enable an adversary to bypass restrictions on traffic routing
+ that otherwise separate trusted and untrusted networks.
+
+
+ Devices such as routers and firewalls can be used to create boundaries between
+ trusted and untrusted networks. They achieve this by restricting traffic types
+ to enforce organizational policy in an attempt to reduce the risk inherent in
+ such connections. Restriction of traffic can be achieved by prohibiting IP
+ addresses, layer 4 protocol ports, or through deep packet inspection to identify
+ applications. To participate with the rest of the network, these devices can
+ be directly addressable or transparent, but their mode of operation has no bearing
+ on how the adversary can bypass them when compromised.
+
+
+ When an adversary takes control of such a boundary device, they can bypass its
+ policy enforcement to pass normally prohibited traffic across the trust boundary
+ between the two separated networks without hinderance. By achieving sufficient
+ rights on the device, an adversary can reconfigure the device to allow the traffic
+ they want, allowing them to then further achieve goals such as command and control
+ via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration
+ of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001).
+ Adversaries may also target internal devices responsible for network segmentation
+ and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001)
+ to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021) In the
+ cases where a border device separates two separate organizations, the adversary
+ can also facilitate lateral movement into new victim environments.
+
+ https://attack.mitre.org/techniques/T1599'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1486
+ name: T1486 - Data Encrypted for Impact
+ provider: MITRE ATT&CK
+ description: "Adversaries may encrypt data on target systems or on large numbers\
+ \ of systems in a network to interrupt availability to system and network resources.\
+ \ They can attempt to render stored data inaccessible by encrypting files or\
+ \ data on local and remote drives and withholding access to a decryption key.\
+ \ This may be done in order to extract monetary compensation from a victim in\
+ \ exchange for decryption or a decryption key (ransomware) or to render data\
+ \ permanently inaccessible in cases where the key is not saved or transmitted.(Citation:\
+ \ US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT\
+ \ NotPetya 2017)(Citation: US-CERT SamSam 2018)\n\nIn the case of ransomware,\
+ \ it is typical that common user files like Office documents, PDFs, images,\
+ \ videos, audio, text, and source code files will be encrypted (and often renamed\
+ \ and/or tagged with specific file markers). Adversaries may need to first employ\
+ \ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222)\
+ \ or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in\
+ \ order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack\
+ \ Conti July 2020) In some cases, adversaries may encrypt critical system files,\
+ \ disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) \n\nTo maximize\
+ \ impact on the target organization, malware designed for encrypting data may\
+ \ have worm-like features to propagate across a network by leveraging other\
+ \ attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078),\
+ \ [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows\
+ \ Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye\
+ \ WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also\
+ \ leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001),\
+ \ such as changing victim wallpapers, or otherwise intimidate victims by sending\
+ \ ransom notes or other messages to connected printers (known as \"print bombing\"\
+ ).(Citation: NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage\
+ \ objects within compromised accounts may also be encrypted.(Citation: Rhino\
+ \ S3 Ransomware Part 1)\nhttps://attack.mitre.org/techniques/T1486"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1553
+ name: T1553 - Subvert Trust Controls
+ provider: MITRE ATT&CK
+ description: 'Adversaries may undermine security controls that will either warn
+ users of untrusted activity or prevent execution of untrusted programs. Operating
+ systems and security products may contain mechanisms to identify programs or
+ websites as possessing some level of trust. Examples of such features would
+ include a program being allowed to run because it is signed by a valid code
+ signing certificate, a program prompting the user with a warning because it
+ has an attribute set from being downloaded from the Internet, or getting an
+ indication that you are about to connect to an untrusted site.
+
+
+ Adversaries may attempt to subvert these trust mechanisms. The method adversaries
+ use will depend on the specific mechanism they seek to subvert. Adversaries
+ may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222)
+ or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of
+ subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017)
+ Adversaries may also create or steal code signing certificates to acquire trust
+ on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec
+ Digital Certificates)
+
+ https://attack.mitre.org/techniques/T1553'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1573
+ name: T1573 - Encrypted Channel
+ provider: MITRE ATT&CK
+ description: 'Adversaries may employ a known encryption algorithm to conceal command
+ and control traffic rather than relying on any inherent protections provided
+ by a communication protocol. Despite the use of a secure algorithm, these implementations
+ may be vulnerable to reverse engineering if secret keys are encoded and/or generated
+ within malware samples/configuration files.
+
+ https://attack.mitre.org/techniques/T1573'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1056
+ name: T1056 - Input Capture
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use methods of capturing user input to obtain credentials
+ or collect information. During normal system usage, users often provide credentials
+ to various different locations, such as login pages/portals or system dialog
+ boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential
+ API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving
+ the user into providing input into what they believe to be a genuine service
+ (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).
+
+ https://attack.mitre.org/techniques/T1056'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1203
+ name: T1203 - Exploitation for Client Execution
+ provider: MITRE ATT&CK
+ description: 'Adversaries may exploit software vulnerabilities in client applications
+ to execute code. Vulnerabilities can exist in software due to unsecure coding
+ practices that can lead to unanticipated behavior. Adversaries can take advantage
+ of certain vulnerabilities through targeted exploitation for the purpose of
+ arbitrary code execution. Oftentimes the most valuable exploits to an offensive
+ toolkit are those that can be used to obtain code execution on a remote system
+ because they can be used to gain access to that system. Users will expect to
+ see files related to the applications they commonly used to do work, so they
+ are a useful target for exploit research and development because of their high
+ utility.
+
+
+ Several types exist:
+
+
+ ### Browser-based Exploitation
+
+
+ Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)
+ and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint
+ systems may be compromised through normal web browsing or from certain users
+ being targeted by links in spearphishing emails to adversary controlled sites
+ used to exploit the web browser. These often do not require an action by the
+ user for the exploit to be executed.
+
+
+ ### Office Applications
+
+
+ Common office and productivity applications such as Microsoft Office are also
+ targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious
+ files will be transmitted directly as attachments or through links to download
+ them. These require the user to open the document or file for the exploit to
+ run.
+
+
+ ### Common Third-party Applications
+
+
+ Other applications that are commonly seen or are part of the software deployed
+ in a target network may also be used for exploitation. Applications such as
+ Adobe Reader and Flash, which are common in enterprise environments, have been
+ routinely targeted by adversaries attempting to gain access to systems. Depending
+ on the software and nature of the vulnerability, some may be exploited in the
+ browser or require the user to open a file. For instance, some Flash exploits
+ have been delivered as objects within Microsoft Office documents.
+
+ https://attack.mitre.org/techniques/T1203'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1570
+ name: T1570 - Lateral Tool Transfer
+ provider: MITRE ATT&CK
+ description: 'Adversaries may transfer tools or other files between systems in
+ a compromised environment. Once brought into the victim environment (i.e., [Ingress
+ Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be
+ copied from one system to another to stage adversary tools or other files over
+ the course of an operation.
+
+
+ Adversaries may copy files between internal victim systems to support lateral
+ movement using inherent file sharing protocols such as file sharing over [SMB/Windows
+ Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network
+ shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation:
+ Unit42 LockerGoga 2019)
+
+
+ Files can also be transferred using native or otherwise present tools on the
+ victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095).
+ In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s
+ such as Dropbox or OneDrive to copy files from one machine to another via shared,
+ automatically synced folders.(Citation: Dropbox Malware Sync)
+
+ https://attack.mitre.org/techniques/T1570'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1095
+ name: T1095 - Non-Application Layer Protocol
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use an OSI non-application layer protocol for communication
+ between host and C2 server or among infected hosts within a network. The list
+ of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples
+ include use of network layer protocols, such as the Internet Control Message
+ Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol
+ (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled
+ protocols, such as Serial over LAN (SOL).
+
+
+ ICMP communication between hosts is one example.(Citation: Cisco Synful Knock
+ Evolution) Because ICMP is part of the Internet Protocol Suite, it is required
+ to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However,
+ it is not as commonly monitored as other Internet Protocols such as TCP or UDP
+ and may be used by adversaries to hide communications.
+
+ https://attack.mitre.org/techniques/T1095'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1012
+ name: T1012 - Query Registry
+ provider: MITRE ATT&CK
+ description: 'Adversaries may interact with the Windows Registry to gather information
+ about the system, configuration, and installed software.
+
+
+ The Registry contains a significant amount of information about the operating
+ system, configuration, software, and security.(Citation: Wikipedia Windows Registry)
+ Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075)
+ utility, though other means to access the Registry exist. Some of the information
+ may help adversaries to further their operation within a network. Adversaries
+ may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012)
+ during automated discovery to shape follow-on behaviors, including whether or
+ not the adversary fully infects the target and/or attempts specific actions.
+
+ https://attack.mitre.org/techniques/T1012'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1030
+ name: T1030 - Data Transfer Size Limits
+ provider: MITRE ATT&CK
+ description: 'An adversary may exfiltrate data in fixed size chunks instead of
+ whole files or limit packet sizes below certain thresholds. This approach may
+ be used to avoid triggering network data transfer threshold alerts.
+
+ https://attack.mitre.org/techniques/T1030'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1499
+ name: T1499 - Endpoint Denial of Service
+ provider: MITRE ATT&CK
+ description: 'Adversaries may perform Endpoint Denial of Service (DoS) attacks
+ to degrade or block the availability of services to users. Endpoint DoS can
+ be performed by exhausting the system resources those services are hosted on
+ or exploiting the system to cause a persistent crash condition. Example services
+ include websites, email services, DNS, and web-based applications. Adversaries
+ have been observed conducting DoS attacks for political purposes(Citation: FireEye
+ OpPoisonedHandover February 2016) and to support other malicious activities,
+ including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism,
+ and extortion.(Citation: Symantec DDoS October 2014)
+
+
+ An Endpoint DoS denies the availability of a service without saturating the
+ network used to provide access to the service. Adversaries can target various
+ layers of the application stack that is hosted on the system used to provide
+ the service. These layers include the Operating Systems (OS), server applications
+ such as web servers, DNS servers, databases, and the (typically web-based) applications
+ that sit on top of them. Attacking each layer requires different techniques
+ that take advantage of bottlenecks that are unique to the respective components.
+ A DoS attack may be generated by a single system or multiple systems spread
+ across the internet, which is commonly referred to as a distributed DoS (DDoS).
+
+
+ To perform DoS attacks against endpoint resources, several aspects apply to
+ multiple methods, including IP address spoofing and botnets.
+
+
+ Adversaries may use the original IP address of an attacking system, or spoof
+ the source IP address to make the attack traffic more difficult to trace back
+ to the attacking system or to enable reflection. This can increase the difficulty
+ defenders have in defending against the attack by reducing or eliminating the
+ effectiveness of filtering by the source address on network defense devices.
+
+
+ Botnets are commonly used to conduct DDoS attacks against networks and services.
+ Large botnets can generate a significant amount of traffic from systems spread
+ across the global internet. Adversaries may have the resources to build out
+ and control their own botnet infrastructure or may rent time on an existing
+ botnet to conduct an attack. In some of the worst cases for DDoS, so many systems
+ are used to generate requests that each one only needs to send out a small amount
+ of traffic to produce enough volume to exhaust the target''s resources. In such
+ circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly
+ difficult. Botnets have been used in some of the most high-profile DDoS attacks,
+ such as the 2012 series of incidents that targeted major US banks.(Citation:
+ USNYAG IranianBotnet March 2016)
+
+
+ In cases where traffic manipulation is used, there may be points in the global
+ network (such as high traffic gateway routers) where packets can be altered
+ and cause legitimate clients to execute code that directs network packets toward
+ a target in high volume. This type of capability was previously used for the
+ purposes of web censorship where client HTTP traffic was modified to include
+ a reference to JavaScript that generated the DDoS code to overwhelm target web
+ servers.(Citation: ArsTechnica Great Firewall of China)
+
+
+ For attacks attempting to saturate the providing network, see [Network Denial
+ of Service](https://attack.mitre.org/techniques/T1498).
+
+ https://attack.mitre.org/techniques/T1499'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1614
+ name: T1614 - System Location Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may gather information in an attempt to calculate the
+ geographical location of a victim host. Adversaries may use the information
+ from [System Location Discovery](https://attack.mitre.org/techniques/T1614)
+ during automated discovery to shape follow-on behaviors, including whether or
+ not the adversary fully infects the target and/or attempts specific actions.
+
+
+ Adversaries may attempt to infer the location of a system using various system
+ checks, such as time zone, keyboard layout, and/or language settings.(Citation:
+ FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer
+ RAT malware 2020) Windows API functions such as GetLocaleInfoW
+ can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker
+ 2020) In cloud environments, an instance''s availability zone may also be discovered
+ by accessing the instance metadata service from the instance.(Citation: AWS
+ Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+
+ Adversaries may also attempt to infer the location of a victim host using IP
+ addressing, such as via online geolocation IP-lookup services.(Citation: Securelist
+ Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+
+ https://attack.mitre.org/techniques/T1614'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1197
+ name: T1197 - BITS Jobs
+ provider: MITRE ATT&CK
+ description: 'Adversaries may abuse BITS jobs to persistently execute code and
+ perform various background tasks. Windows Background Intelligent Transfer Service
+ (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through
+ [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation:
+ Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters,
+ messengers, and other applications preferred to operate in the background (using
+ available idle bandwidth) without interrupting other networked applications.
+ File transfer tasks are implemented as BITS jobs, which contain a queue of one
+ or more file operations.
+
+
+ The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001)
+ and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation:
+ Microsoft BITS)(Citation: Microsoft BITSAdmin)
+
+
+ Adversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)),
+ execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)).
+ BITS tasks are self-contained in the BITS job database, without new files or
+ registry modifications, and often permitted by host firewalls.(Citation: CTU
+ BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation:
+ Symantec BITS May 2007) BITS enabled execution may also enable persistence by
+ creating long-standing jobs (the default maximum lifetime is 90 days and extendable)
+ or invoking an arbitrary program when a job completes or errors (including after
+ system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware
+ June 2016)
+
+
+ BITS upload functionalities can also be used to perform [Exfiltration Over Alternative
+ Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware
+ June 2016)
+
+ https://attack.mitre.org/techniques/T1197'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1656
+ name: T1656 - Impersonation
+ provider: MITRE ATT&CK
+ description: "Adversaries may impersonate a trusted person or organization in\
+ \ order to persuade and trick a target into performing some action on their\
+ \ behalf. For example, adversaries may communicate with victims (via [Phishing\
+ \ for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566),\
+ \ or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while\
+ \ impersonating a known sender such as an executive, colleague, or third-party\
+ \ vendor. Established trust can then be leveraged to accomplish an adversary\u2019\
+ s ultimate goals, possibly against multiple victims. \n \nIn many cases of business\
+ \ email compromise or email fraud campaigns, adversaries use impersonation to\
+ \ defraud victims -- deceiving them into sending money or divulging information\
+ \ that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657).\n\
+ \nAdversaries will often also use social engineering techniques such as manipulative\
+ \ and persuasive language in email subject lines and body text such as `payment`,\
+ \ `request`, or `urgent` to push the victim to act quickly before malicious\
+ \ activity is detected. These campaigns are often specifically targeted against\
+ \ people who, due to job roles and/or accesses, can carry out the adversary\u2019\
+ s goal.\u202F\u202F \n \nImpersonation is typically preceded by reconnaissance\
+ \ techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589)\
+ \ and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591)\
+ \ as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001))\
+ \ to substantiate their false identity.(Citation: CrowdStrike-BEC)\n \nThere\
+ \ is the potential for multiple victims in campaigns involving impersonation.\
+ \ For example, an adversary may [Compromise Accounts](https://attack.mitre.org/techniques/T1586)\
+ \ targeting one organization which can then be used to support impersonation\
+ \ against other entities.(Citation: VEC)\nhttps://attack.mitre.org/techniques/T1656"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1132
+ name: T1132 - Data Encoding
+ provider: MITRE ATT&CK
+ description: 'Adversaries may encode data to make the content of command and control
+ traffic more difficult to detect. Command and control (C2) information can be
+ encoded using a standard data encoding system. Use of data encoding may adhere
+ to existing protocol specifications and includes use of ASCII, Unicode, Base64,
+ MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia
+ Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data
+ encoding systems may also result in data compression, such as gzip.
+
+ https://attack.mitre.org/techniques/T1132'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1598
+ name: T1598 - Phishing for Information
+ provider: MITRE ATT&CK
+ description: "Adversaries may send phishing messages to elicit sensitive information\
+ \ that can be used during targeting. Phishing for information is an attempt\
+ \ to trick targets into divulging information, frequently credentials or other\
+ \ actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566)\
+ \ in that the objective is gathering data from the victim rather than executing\
+ \ malicious code.\n\nAll forms of phishing are electronically delivered social\
+ \ engineering. Phishing can be targeted, known as spearphishing. In spearphishing,\
+ \ a specific individual, company, or industry will be targeted by the adversary.\
+ \ More generally, adversaries can conduct non-targeted phishing, such as in\
+ \ mass credential harvesting campaigns.\n\nAdversaries may also try to obtain\
+ \ information directly through the exchange of emails, instant messages, or\
+ \ other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation:\
+ \ TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation:\
+ \ GitHub Phishery) Victims may also receive phishing messages that direct them\
+ \ to call a phone number where the adversary attempts to collect confidential\
+ \ information.(Citation: Avertium callback phishing)\n\nPhishing for information\
+ \ frequently involves social engineering techniques, such as posing as a source\
+ \ with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)\
+ \ or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or\
+ \ sending multiple, seemingly urgent messages. Another way to accomplish this\
+ \ is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the\
+ \ sender which can be used to fool both the human recipient as well as automated\
+ \ security tools.(Citation: cyberproof-double-bounce) \n\nPhishing for information\
+ \ may also involve evasive techniques, such as removing or manipulating emails\
+ \ or metadata/headers from compromised accounts being abused to send messages\
+ \ (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:\
+ \ Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)\n\
+ https://attack.mitre.org/techniques/T1598"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1496
+ name: T1496 - Resource Hijacking
+ provider: MITRE ATT&CK
+ description: "Adversaries may leverage the resources of co-opted systems to complete\
+ \ resource-intensive tasks, which may impact system and/or hosted service availability.\
+ \ \n\nOne common purpose for Resource Hijacking is to validate transactions\
+ \ of cryptocurrency networks and earn virtual currency. Adversaries may consume\
+ \ enough system resources to negatively impact and/or cause affected machines\
+ \ to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\
+ \ Servers and cloud-based systems are common targets because of the high potential\
+ \ for available resources, but user endpoint systems may also be compromised\
+ \ and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit\
+ \ - Unused AWS Regions) Containerized environments may also be targeted due\
+ \ to the ease of deployment via exposed APIs and the potential for scaling mining\
+ \ activities by deploying or compromising multiple containers within an environment\
+ \ or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed\
+ \ Docker APIs)\n\nAdditionally, some cryptocurrency mining malware identify\
+ \ then kill off processes for competing malware to ensure it\u2019s not competing\
+ \ for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries\
+ \ may also use malware that leverages a system's network bandwidth as part of\
+ \ a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)\
+ \ campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,\
+ \ they may engage in proxyjacking by selling use of the victims' network bandwidth\
+ \ and IP address to proxyware services.(Citation: Sysdig Proxyjacking)\nhttps://attack.mitre.org/techniques/T1496"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1585
+ name: T1585 - Establish Accounts
+ provider: MITRE ATT&CK
+ description: 'Adversaries may create and cultivate accounts with services that
+ can be used during targeting. Adversaries can create accounts that can be used
+ to build a persona to further operations. Persona development consists of the
+ development of public information, presence, history and appropriate affiliations.
+ This development could be applied to social media, website, or other publicly
+ available information that could be referenced and scrutinized for legitimacy
+ over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation:
+ BlackHatRobinSage)
+
+
+ For operations incorporating social engineering, the utilization of an online
+ persona may be important. These personas may be fictitious or impersonate real
+ people. The persona may exist on a single site or across multiple sites (ex:
+ Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing
+ a persona may require development of additional documentation to make them seem
+ real. This could include filling out profile information, developing social
+ networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)
+
+
+ Establishing accounts can also include the creation of accounts with email providers,
+ which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+ or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant
+ APT1)
+
+ https://attack.mitre.org/techniques/T1585'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1588
+ name: T1588 - Obtain Capabilities
+ provider: MITRE ATT&CK
+ description: 'Adversaries may buy and/or steal capabilities that can be used during
+ targeting. Rather than developing their own capabilities in-house, adversaries
+ may purchase, freely download, or steal them. Activities may include the acquisition
+ of malware, software (including licenses), exploits, certificates, and information
+ relating to vulnerabilities. Adversaries may obtain capabilities to support
+ their operations throughout numerous phases of the adversary lifecycle.
+
+
+ In addition to downloading free malware, software, and exploits from the internet,
+ adversaries may purchase these capabilities from third-party entities. Third-party
+ entities can include technology companies that specialize in malware and exploits,
+ criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation:
+ PegasusCitizenLab)
+
+
+ In addition to purchasing capabilities, adversaries may steal capabilities from
+ third-party entities (including other adversaries). This can include stealing
+ software licenses, malware, SSL/TLS and code-signing certificates, or raiding
+ closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)
+
+ https://attack.mitre.org/techniques/T1588'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1569
+ name: T1569 - System Services
+ provider: MITRE ATT&CK
+ description: 'Adversaries may abuse system services or daemons to execute commands
+ or programs. Adversaries can execute malicious content by interacting with or
+ creating services either locally or remotely. Many services are set to run at
+ boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)),
+ but adversaries can also abuse services for one-time or temporary execution.
+
+ https://attack.mitre.org/techniques/T1569'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1650
+ name: T1650 - Acquire Access
+ provider: MITRE ATT&CK
+ description: "Adversaries may purchase or otherwise acquire an existing access\
+ \ to a target system or network. A variety of online services and initial access\
+ \ broker networks are available to sell access to previously compromised systems.(Citation:\
+ \ Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation:\
+ \ Krebs Access Brokers Fortune 500) In some cases, adversary groups may form\
+ \ partnerships to share compromised systems with each other.(Citation: CISA\
+ \ Karakurt 2022)\n\nFootholds to compromised systems may take a variety of forms,\
+ \ such as access to planted backdoors (e.g., [Web Shell](https://attack.mitre.org/techniques/T1505/003))\
+ \ or established access via [External Remote Services](https://attack.mitre.org/techniques/T1133).\
+ \ In some cases, access brokers will implant compromised systems with a \u201C\
+ load\u201D that can be used to install additional malware for paying customers.(Citation:\
+ \ Microsoft Ransomware as a Service)\n\nBy leveraging existing access broker\
+ \ networks rather than developing or obtaining their own initial access capabilities,\
+ \ an adversary can potentially reduce the resources required to gain a foothold\
+ \ on a target network and focus their efforts on later stages of compromise.\
+ \ Adversaries may prioritize acquiring access to systems that have been determined\
+ \ to lack security monitoring or that have high privileges, or systems that\
+ \ belong to organizations in a particular sector.(Citation: Microsoft Ransomware\
+ \ as a Service)(Citation: CrowdStrike Access Brokers)\n\nIn some cases, purchasing\
+ \ access to an organization in sectors such as IT contracting, software development,\
+ \ or telecommunications may allow an adversary to compromise additional victims\
+ \ via a [Trusted Relationship](https://attack.mitre.org/techniques/T1199), [Multi-Factor\
+ \ Authentication Interception](https://attack.mitre.org/techniques/T1111), or\
+ \ even [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195).\n\
+ \n**Note:** while this technique is distinct from other behaviors such as [Purchase\
+ \ Technical Data](https://attack.mitre.org/techniques/T1597/002) and [Credentials](https://attack.mitre.org/techniques/T1589/001),\
+ \ they may often be used in conjunction (especially where the acquired foothold\
+ \ requires [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\nhttps://attack.mitre.org/techniques/T1650"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1213
+ name: T1213 - Data from Information Repositories
+ provider: MITRE ATT&CK
+ description: "Adversaries may leverage information repositories to mine valuable\
+ \ information. Information repositories are tools that allow for storage of\
+ \ information, typically to facilitate collaboration or information sharing\
+ \ between users, and can store a wide variety of data that may aid adversaries\
+ \ in further objectives, or direct access to the target information. Adversaries\
+ \ may also abuse external sharing features to share sensitive documents with\
+ \ recipients outside of the organization. \n\nThe following is a brief list\
+ \ of example information that may hold potential value to an adversary and may\
+ \ also be found on an information repository:\n\n* Policies, procedures, and\
+ \ standards\n* Physical / logical network diagrams\n* System architecture diagrams\n\
+ * Technical system documentation\n* Testing / development credentials\n* Work\
+ \ / project schedules\n* Source code snippets\n* Links to network shares and\
+ \ other internal resources\n\nInformation stored in a repository may vary based\
+ \ on the specific instance or environment. Specific common information repositories\
+ \ include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)\
+ \ and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific\
+ \ services such as Code Repositories, IaaS databases, enterprise databases,\
+ \ and other storage infrastructure such as SQL Server.\nhttps://attack.mitre.org/techniques/T1213"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1200
+ name: T1200 - Hardware Additions
+ provider: MITRE ATT&CK
+ description: 'Adversaries may introduce computer accessories, networking hardware,
+ or other computing devices into a system or network that can be used as a vector
+ to gain access. Rather than just connecting and distributing payloads via removable
+ storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)),
+ more robust hardware additions can be used to introduce new functionalities
+ and/or features into a system that can then be abused.
+
+
+ While public references of usage by threat actors are scarce, many red teams/penetration
+ testers leverage hardware additions for initial access. Commercial and open
+ source products can be leveraged with capabilities such as passive network tapping,
+ network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)),
+ keystroke injection, kernel memory reading via DMA, addition of new wireless
+ access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation:
+ Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan
+ Pwn March 2012)
+
+ https://attack.mitre.org/techniques/T1200'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1505
+ name: T1505 - Server Software Component
+ provider: MITRE ATT&CK
+ description: 'Adversaries may abuse legitimate extensible development features
+ of servers to establish persistent access to systems. Enterprise server applications
+ may include features that allow developers to write and install software or
+ scripts to extend the functionality of the main application. Adversaries may
+ install malicious components to extend and abuse server applications.(Citation:
+ volexity_0day_sophos_FW)
+
+ https://attack.mitre.org/techniques/T1505'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1485
+ name: T1485 - Data Destruction
+ provider: MITRE ATT&CK
+ description: 'Adversaries may destroy data and files on specific systems or in
+ large numbers on a network to interrupt availability to systems, services, and
+ network resources. Data destruction is likely to render stored data irrecoverable
+ by forensic techniques through overwriting files or data on local and remote
+ drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation:
+ Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit
+ 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system
+ file deletion commands such as del
and rm
often only
+ remove pointers to files without wiping the contents of the files themselves,
+ making the files recoverable by proper forensic methodology. This behavior is
+ distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001)
+ and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because
+ individual files are destroyed rather than sections of a storage disk or the
+ disk''s logical structure.
+
+
+ Adversaries may attempt to overwrite files and directories with randomly generated
+ data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation:
+ Unit 42 Shamoon3 2018) In some cases politically oriented image files have been
+ used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto
+ Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
+
+
+ To maximize impact on the target organization in operations where network-wide
+ availability interruption is the goal, malware designed for destroying data
+ may have worm-like features to propagate across a network by leveraging additional
+ techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078),
+ [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows
+ Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec
+ Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon
+ Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer
+ 2018).
+
+
+ In cloud environments, adversaries may leverage access to delete cloud storage,
+ cloud storage accounts, machine images, and other infrastructure crucial to
+ operations to damage an organization or their customers.(Citation: Data Destruction
+ - Threat Post)(Citation: DOJ - Cisco Insider)
+
+ https://attack.mitre.org/techniques/T1485'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1537
+ name: T1537 - Transfer Data to Cloud Account
+ provider: MITRE ATT&CK
+ description: 'Adversaries may exfiltrate data by transferring the data, including
+ backups of cloud environments, to another cloud account they control on the
+ same service to avoid typical file transfers/downloads and network-based exfiltration
+ detection.
+
+
+ A defender who is monitoring for large transfers to outside the cloud environment
+ through normal file transfers or over command and control channels may not be
+ watching for data transfers to another account within the same cloud provider.
+ Such transfers may utilize existing cloud provider APIs and the internal address
+ space of the cloud provider to blend into normal traffic or avoid data transfers
+ over external network interfaces.
+
+
+ Incidents have been observed where adversaries have created backups of cloud
+ instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment
+ Jul 2018)
+
+ https://attack.mitre.org/techniques/T1537'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1189
+ name: T1189 - Drive-by Compromise
+ provider: MITRE ATT&CK
+ description: "Adversaries may gain access to a system through a user visiting\
+ \ a website over the normal course of browsing. With this technique, the user's\
+ \ web browser is typically targeted for exploitation, but adversaries may also\
+ \ use compromised websites for non-exploitation behavior such as acquiring [Application\
+ \ Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple\
+ \ ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)),\
+ \ including:\n\n* A legitimate website is compromised where adversaries have\
+ \ injected some form of malicious code such as JavaScript, iFrames, and cross-site\
+ \ scripting\n* Script files served to a legitimate website from a publicly writeable\
+ \ cloud storage bucket are modified by an adversary\n* Malicious ads are paid\
+ \ for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n\
+ * Built-in web application interfaces are leveraged for the insertion of any\
+ \ other kind of object that can be used to display web content or contain a\
+ \ script that executes on the visiting client (e.g. forum posts, comments, and\
+ \ other user controllable web content).\n\nOften the website used by an adversary\
+ \ is one visited by a specific community, such as government, a particular industry,\
+ \ or region, where the goal is to compromise a specific user or set of users\
+ \ based on a shared interest. This kind of targeted campaign is often referred\
+ \ to a strategic web compromise or watering hole attack. There are several known\
+ \ examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\
+ \nTypical drive-by compromise process:\n\n1. A user visits a website that is\
+ \ used to host the adversary controlled content.\n2. Scripts automatically execute,\
+ \ typically searching versions of the browser and plugins for a potentially\
+ \ vulnerable version. \n * The user may be required to assist in this process\
+ \ by enabling scripting or active website components and ignoring warning dialog\
+ \ boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to\
+ \ the browser.\n4. If exploitation is successful, then it will give the adversary\
+ \ code execution on the user's system unless other protections are in place.\n\
+ \ * In some cases a second visit to the website after the initial scan is\
+ \ required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing\
+ \ Application](https://attack.mitre.org/techniques/T1190), the focus of this\
+ \ technique is to exploit software on a client endpoint upon visiting a website.\
+ \ This will commonly give an adversary access to systems on the internal network\
+ \ instead of external systems that may be in a DMZ.\n\nAdversaries may also\
+ \ use compromised websites to deliver a user to a malicious application designed\
+ \ to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s,\
+ \ like OAuth tokens, to gain access to protected applications and information.\
+ \ These malicious applications have been delivered through popups on legitimate\
+ \ websites.(Citation: Volexity OceanLotus Nov 2017)\nhttps://attack.mitre.org/techniques/T1189"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1498
+ name: T1498 - Network Denial of Service
+ provider: MITRE ATT&CK
+ description: 'Adversaries may perform Network Denial of Service (DoS) attacks
+ to degrade or block the availability of targeted resources to users. Network
+ DoS can be performed by exhausting the network bandwidth services rely on. Example
+ resources include specific websites, email services, DNS, and web-based applications.
+ Adversaries have been observed conducting network DoS attacks for political
+ purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support
+ other malicious activities, including distraction(Citation: FSISAC FraudNetDoS
+ September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October
+ 2014)
+
+
+ A Network DoS will occur when the bandwidth capacity of the network connection
+ to a system is exhausted due to the volume of malicious traffic directed at
+ the resource or the network connections and network devices the resource relies
+ on. For example, an adversary may send 10Gbps of traffic to a server that is
+ hosted by a network with a 1Gbps connection to the internet. This traffic can
+ be generated by a single system or multiple systems spread across the internet,
+ which is commonly referred to as a distributed DoS (DDoS).
+
+
+ To perform Network DoS attacks several aspects apply to multiple methods, including
+ IP address spoofing, and botnets.
+
+
+ Adversaries may use the original IP address of an attacking system, or spoof
+ the source IP address to make the attack traffic more difficult to trace back
+ to the attacking system or to enable reflection. This can increase the difficulty
+ defenders have in defending against the attack by reducing or eliminating the
+ effectiveness of filtering by the source address on network defense devices.
+
+
+ For DoS attacks targeting the hosting system directly, see [Endpoint Denial
+ of Service](https://attack.mitre.org/techniques/T1499).
+
+ https://attack.mitre.org/techniques/T1498'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1651
+ name: T1651 - Cloud Administration Command
+ provider: MITRE ATT&CK
+ description: "Adversaries may abuse cloud management services to execute commands\
+ \ within virtual machines or hybrid-joined devices. Resources such as AWS Systems\
+ \ Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts\
+ \ in virtual machines by leveraging installed virtual machine agents. Similarly,\
+ \ in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune\
+ \ Administrators to run scripts as SYSTEM on on-premises devices joined to the\
+ \ Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run\
+ \ Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020)\n\
+ \nIf an adversary gains administrative access to a cloud environment, they may\
+ \ be able to abuse cloud management services to execute commands in the environment\u2019\
+ s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary\
+ \ that compromises a service provider or delegated administrator account may\
+ \ similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199)\
+ \ to execute commands in connected virtual machines.(Citation: MSTIC Nobelium\
+ \ Oct 2021)\nhttps://attack.mitre.org/techniques/T1651"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1221
+ name: T1221 - Template Injection
+ provider: MITRE ATT&CK
+ description: "Adversaries may create or modify references in user document templates\
+ \ to conceal malicious code or force authentication attempts. For example, Microsoft\u2019\
+ s Office Open XML (OOXML) specification defines an XML-based format for Office\
+ \ documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls,\
+ \ .ppt). OOXML files are packed together ZIP archives compromised of various\
+ \ XML files, referred to as parts, containing properties that collectively define\
+ \ how a document is rendered.(Citation: Microsoft Open XML July 2017)\n\nProperties\
+ \ within parts may reference shared public resources accessed via online URLs.\
+ \ For example, template properties may reference a file, serving as a pre-formatted\
+ \ document blueprint, that is fetched when the document is loaded.\n\nAdversaries\
+ \ may abuse these templates to initially conceal malicious code to be executed\
+ \ via user documents. Template references injected into a document may enable\
+ \ malicious payloads to be fetched and executed when the document is loaded.(Citation:\
+ \ SANS Brian Wiltse Template Injection) These documents can be delivered via\
+ \ other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566)\
+ \ and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and\
+ \ may evade static detections since no typical indicators (VBA macro, script,\
+ \ etc.) are present until after the malicious payload is fetched.(Citation:\
+ \ Redxorblue Remote Template Injection) Examples have been seen in the wild\
+ \ where template injection was used to load malicious code containing an exploit.(Citation:\
+ \ MalwareBytes Template Injection OCT 2017)\n\nAdversaries may also modify the\
+ \ *\\template
control word within an .rtf file to similarly conceal\
+ \ then download malicious code. This legitimate control word value is intended\
+ \ to be a file destination of a template file resource that is retrieved and\
+ \ loaded when an .rtf file is opened. However, adversaries may alter the bytes\
+ \ of an existing .rtf file to insert a template control word field to include\
+ \ a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation:\
+ \ Ciberseguridad Decoding malicious RTF files)\n\nThis technique may also enable\
+ \ [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting\
+ \ a SMB/HTTPS (or other credential prompting) URL and triggering an authentication\
+ \ attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template\
+ \ Injection July 2017)(Citation: ryhanson phishery SEPT 2016)\nhttps://attack.mitre.org/techniques/T1221"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1134
+ name: T1134 - Access Token Manipulation
+ provider: MITRE ATT&CK
+ description: 'Adversaries may modify access tokens to operate under a different
+ user or system security context to perform actions and bypass access controls.
+ Windows uses access tokens to determine the ownership of a running process.
+ A user can manipulate access tokens to make a running process appear as though
+ it is the child of a different process or belongs to someone other than the
+ user that started the process. When this occurs, the process also takes on the
+ security context associated with the new token.
+
+
+ An adversary can use built-in Windows API functions to copy access tokens from
+ existing processes; this is known as token stealing. These token can then be
+ applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001))
+ or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)).
+ An adversary must already be in a privileged user context (i.e. administrator)
+ to steal a token. However, adversaries commonly use token stealing to elevate
+ their security context from the administrator level to the SYSTEM level. An
+ adversary can then use a token to authenticate to a remote system as the account
+ for that token if the account has appropriate permissions on the remote system.(Citation:
+ Pentestlab Token Manipulation)
+
+
+ Any standard user can use the runas
command, and the Windows API
+ functions, to create impersonation tokens; it does not require access to an
+ administrator account. There are also other mechanisms, such as Active Directory
+ fields, that can be used to modify access tokens.
+
+ https://attack.mitre.org/techniques/T1134'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1111
+ name: T1111 - Multi-Factor Authentication Interception
+ provider: MITRE ATT&CK
+ description: "Adversaries may target multi-factor authentication (MFA) mechanisms,\
+ \ (i.e., smart cards, token generators, etc.) to gain access to credentials\
+ \ that can be used to access systems, services, and network resources. Use of\
+ \ MFA is recommended and provides a higher level of security than usernames\
+ \ and passwords alone, but organizations should be aware of techniques that\
+ \ could be used to intercept and bypass these security mechanisms. \n\nIf a\
+ \ smart card is used for multi-factor authentication, then a keylogger will\
+ \ need to be used to obtain the password associated with a smart card during\
+ \ normal use. With both an inserted card and access to the smart card password,\
+ \ an adversary can connect to a network resource using the infected system to\
+ \ proxy the authentication with the inserted hardware token. (Citation: Mandiant\
+ \ M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target\
+ \ other hardware tokens, such as RSA SecurID. Capturing token input (including\
+ \ a user's personal identification code) may provide temporary access (i.e.\
+ \ replay the one-time passcode until the next value rollover) as well as possibly\
+ \ enabling adversaries to reliably predict future authentication values (given\
+ \ access to both the algorithm and any seed values used to generate appended\
+ \ temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of MFA may\
+ \ be intercepted and used by an adversary to authenticate. It is common for\
+ \ one-time codes to be sent via out-of-band communications (email, SMS). If\
+ \ the device and/or service is not secured, then it may be vulnerable to interception.\
+ \ Service providers can also be targeted: for example, an adversary may compromise\
+ \ an SMS messaging service in order to steal MFA codes sent to users\u2019 phones.(Citation:\
+ \ Okta Scatter Swine 2022)\nhttps://attack.mitre.org/techniques/T1111"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1136
+ name: T1136 - Create Account
+ provider: MITRE ATT&CK
+ description: 'Adversaries may create an account to maintain access to victim systems.
+ With a sufficient level of access, creating such accounts may be used to establish
+ secondary credentialed access that do not require persistent remote access tools
+ to be deployed on the system.
+
+
+ Accounts may be created on the local system or within a domain or cloud tenant.
+ In cloud environments, adversaries may create accounts that only have access
+ to specific services, which can reduce the chance of detection.
+
+ https://attack.mitre.org/techniques/T1136'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1526
+ name: T1526 - Cloud Service Discovery
+ provider: MITRE ATT&CK
+ description: 'An adversary may attempt to enumerate the cloud services running
+ on a system after gaining access. These methods can differ from platform-as-a-service
+ (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS).
+ Many services exist throughout the various cloud providers and can include Continuous
+ Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.
+ They may also include security services, such as AWS GuardDuty and Microsoft
+ Defender for Cloud, and logging services, such as AWS CloudTrail and Google
+ Cloud Audit Logs.
+
+
+ Adversaries may attempt to discover information about the services enabled throughout
+ the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure
+ Resource Manager API, can enumerate resources and services, including applications,
+ management groups, resources and policy definitions, and their relationships
+ that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation:
+ Azure AD Graph API)
+
+
+ For example, Stormspotter is an open source tool for enumerating and constructing
+ a graph for Azure resources and services, and Pacu is an open source AWS exploitation
+ framework that supports several methods for discovering cloud services.(Citation:
+ Azure - Stormspotter)(Citation: GitHub Pacu)
+
+
+ Adversaries may use the information gained to shape follow-on behaviors, such
+ as targeting data or credentials from enumerated services or evading identified
+ defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)
+ or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).
+
+ https://attack.mitre.org/techniques/T1526'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1018
+ name: T1018 - Remote System Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to get a listing of other systems by IP
+ address, hostname, or other logical identifier on a network that may be used
+ for Lateral Movement from the current system. Functionality could exist within
+ remote access tools to enable this, but utilities available on the operating
+ system could also be used such as [Ping](https://attack.mitre.org/software/S0097)
+ or net view
using [Net](https://attack.mitre.org/software/S0039).
+
+
+ Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts
+ or /etc/hosts
) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099)
+ cache entries) in order to discover the presence of remote systems in an environment.
+
+
+ Adversaries may also target discovery of network infrastructure as well as leverage
+ [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands
+ on network devices to gather detailed information about systems within a network
+ (e.g. show cdp neighbors
, show arp
).(Citation: US-CERT-TA18-106A)(Citation:
+ CISA AR21-126A FIVEHANDS May 2021)
+
+ https://attack.mitre.org/techniques/T1018'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1046
+ name: T1046 - Network Service Discovery
+ provider: MITRE ATT&CK
+ description: "Adversaries may attempt to get a listing of services running on\
+ \ remote hosts and local network infrastructure devices, including those that\
+ \ may be vulnerable to remote software exploitation. Common methods to acquire\
+ \ this information include port and/or vulnerability scans using tools that\
+ \ are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021) \
+ \ \n\nWithin cloud environments, adversaries may attempt to discover services\
+ \ running on other cloud hosts. Additionally, if the cloud environment is connected\
+ \ to a on-premises environment, adversaries may be able to identify services\
+ \ running on non-cloud systems as well.\n\nWithin macOS environments, adversaries\
+ \ may use the native Bonjour application to discover services running on other\
+ \ macOS hosts within a network. The Bonjour mDNSResponder daemon automatically\
+ \ registers and advertises a host\u2019s registered services on the network.\
+ \ For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp\
+ \ .
) to find other systems broadcasting the ssh service.(Citation: apple\
+ \ doco bonjour description)(Citation: macOS APT Activity Bradley)\nhttps://attack.mitre.org/techniques/T1046"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1518
+ name: T1518 - Software Discovery
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to get a listing of software and software
+ versions that are installed on a system or in a cloud environment. Adversaries
+ may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518)
+ during automated discovery to shape follow-on behaviors, including whether or
+ not the adversary fully infects the target and/or attempts specific actions.
+
+
+ Adversaries may attempt to enumerate software for a variety of reasons, such
+ as figuring out what security measures are present or if the compromised system
+ has a version of software that is vulnerable to [Exploitation for Privilege
+ Escalation](https://attack.mitre.org/techniques/T1068).
+
+ https://attack.mitre.org/techniques/T1518'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1538
+ name: T1538 - Cloud Service Dashboard
+ provider: MITRE ATT&CK
+ description: 'An adversary may use a cloud service dashboard GUI with stolen credentials
+ to gain useful information from an operational cloud environment, such as specific
+ services, resources, and features. For example, the GCP Command Center can be
+ used to view all assets, findings of potential security risks, and to run additional
+ queries, such as finding public IP addresses and open ports.(Citation: Google
+ Command Center Dashboard)
+
+
+ Depending on the configuration of the environment, an adversary may be able
+ to enumerate more information via the graphical dashboard than an API. This
+ allows the adversary to gain information without making any API requests.
+
+ https://attack.mitre.org/techniques/T1538'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1622
+ name: T1622 - Debugger Evasion
+ provider: MITRE ATT&CK
+ description: "Adversaries may employ various means to detect and avoid debuggers.\
+ \ Debuggers are typically used by defenders to trace and/or analyze the execution\
+ \ of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger\
+ \ evasion may include changing behaviors based on the results of the checks\
+ \ for the presence of artifacts indicative of a debugged environment. Similar\
+ \ to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497),\
+ \ if the adversary detects a debugger, they may alter their malware to disengage\
+ \ from the victim or conceal the core functions of the implant. They may also\
+ \ search for debugger artifacts before dropping secondary or additional payloads.\n\
+ \nSpecific checks will vary based on the target and/or adversary, but may involve\
+ \ [Native API](https://attack.mitre.org/techniques/T1106) function calls such\
+ \ as IsDebuggerPresent()
and NtQueryInformationProcess()
,\
+ \ or manually checking the BeingDebugged
flag of the Process Environment\
+ \ Block (PEB). Other checks for debugging artifacts may also seek to enumerate\
+ \ hardware breakpoints, interrupt assembly opcodes, time checks, or measurements\
+ \ if exceptions are raised in the current process (assuming a present debugger\
+ \ would \u201Cswallow\u201D or handle the potential error).(Citation: hasherezade\
+ \ debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nAdversaries\
+ \ may use the information learned from these debugger checks during automated\
+ \ discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching\
+ \ the process or flooding debug logs with meaningless data via messages produced\
+ \ by looping [Native API](https://attack.mitre.org/techniques/T1106) function\
+ \ calls such as OutputDebugStringW()
.(Citation: wardle evilquest\
+ \ partii)(Citation: Checkpoint Dridex Jan 2021)\nhttps://attack.mitre.org/techniques/T1622"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1052
+ name: T1052 - Exfiltration Over Physical Medium
+ provider: MITRE ATT&CK
+ description: 'Adversaries may attempt to exfiltrate data via a physical medium,
+ such as a removable drive. In certain circumstances, such as an air-gapped network
+ compromise, exfiltration could occur via a physical medium or device introduced
+ by a user. Such media could be an external hard drive, USB drive, cellular phone,
+ MP3 player, or other removable storage and processing device. The physical medium
+ or device could be used as the final exfiltration point or to hop between otherwise
+ disconnected systems.
+
+ https://attack.mitre.org/techniques/T1052'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1105
+ name: T1105 - Ingress Tool Transfer
+ provider: MITRE ATT&CK
+ description: "Adversaries may transfer tools or other files from an external system\
+ \ into a compromised environment. Tools or files may be copied from an external\
+ \ adversary-controlled system to the victim network through the command and\
+ \ control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095).\
+ \ Once present, adversaries may also transfer/spread tools between victim devices\
+ \ within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).\
+ \ \n\nOn Windows, adversaries may use various utilities to download tools, such\
+ \ as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160),\
+ \ and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such\
+ \ as IEX(New-Object Net.WebClient).downloadString()
and Invoke-WebRequest
.\
+ \ On Linux and macOS systems, a variety of utilities also exist, such as `curl`,\
+ \ `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\
+ \nAdversaries may also abuse installers and package managers, such as `yum`\
+ \ or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred\
+ \ using various [Web Service](https://attack.mitre.org/techniques/T1102)s as\
+ \ well as native or otherwise present tools on the victim system.(Citation:\
+ \ PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage\
+ \ services that sync between a web-based and an on-premises client, such as\
+ \ Dropbox or OneDrive, to transfer files onto victim systems. For example, by\
+ \ compromising a cloud account and logging into the service's web portal, an\
+ \ adversary may be able to trigger an automatic syncing process that transfers\
+ \ the file onto the victim's machine.(Citation: Dropbox Malware Sync)\nhttps://attack.mitre.org/techniques/T1105"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1648
+ name: T1648 - Serverless Execution
+ provider: MITRE ATT&CK
+ description: "Adversaries may abuse serverless computing, integration, and automation\
+ \ services to execute arbitrary code in cloud environments. Many cloud providers\
+ \ offer a variety of serverless resources, including compute engines, application\
+ \ integration services, and web servers. \n\nAdversaries may abuse these resources\
+ \ in various ways as a means of executing arbitrary commands. For example, adversaries\
+ \ may use serverless functions to execute malicious code, such as crypto-mining\
+ \ malware (i.e. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)).(Citation:\
+ \ Cado Security Denonia) Adversaries may also create functions that enable further\
+ \ compromise of the cloud environment. For example, an adversary may use the\
+ \ `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission\
+ \ in Google Cloud to add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003)\
+ \ to a serverless cloud function, which may then be able to perform actions\
+ \ the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation:\
+ \ Rhingo Security Labs GCP Privilege Escalation)\n\nServerless functions can\
+ \ also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://attack.mitre.org/techniques/T1546)),\
+ \ potentially enabling persistent execution over time. For example, in AWS environments,\
+ \ an adversary may create a Lambda function that automatically adds [Additional\
+ \ Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user\
+ \ and a corresponding CloudWatch events rule that invokes that function whenever\
+ \ a new user is created.(Citation: Backdooring an AWS account) Similarly, an\
+ \ adversary may create a Power Automate workflow in Office 365 environments\
+ \ that forwards all emails a user receives or creates anonymous sharing links\
+ \ whenever a user is granted access to a document in SharePoint.(Citation: Varonis\
+ \ Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)\n\
+ https://attack.mitre.org/techniques/T1648"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1653
+ name: T1653 - Power Settings
+ provider: MITRE ATT&CK
+ description: 'Adversaries may impair a system''s ability to hibernate, reboot,
+ or shut down in order to extend access to infected machines. When a computer
+ enters a dormant state, some or all software and hardware may cease to operate
+ which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
+
+
+ Adversaries may abuse system utilities and configuration settings to maintain
+ access by preventing machines from entering a state, such as standby, that can
+ terminate malicious activity.(Citation: Microsoft: Powercfg command-line options)(Citation:
+ systemdsleep Linux)
+
+
+ For example, `powercfg` controls all configurable power system settings on a
+ Windows system and can be abused to prevent an infected host from locking or
+ shutting down.(Citation: Two New Monero Malware Attacks Target Windows and Android
+ Users) Adversaries may also extend system lock screen timeout settings.(Citation:
+ BATLOADER: The Evasive Downloader Malware) Other relevant settings, such as
+ disk and hibernate timeout, can be similarly abused to keep the infected machine
+ running even if no user is active.(Citation: CoinLoader: A Sophisticated Malware
+ Loader Campaign)
+
+
+ Aware that some malware cannot survive system reboots, adversaries may entirely
+ delete files used to invoke system shut down or reboot.(Citation: Condi-Botnet-binaries)
+
+ https://attack.mitre.org/techniques/T1653'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1484
+ name: T1484 - Domain Policy Modification
+ provider: MITRE ATT&CK
+ description: 'Adversaries may modify the configuration settings of a domain to
+ evade defenses and/or escalate privileges in domain environments. Domains provide
+ a centralized means of managing how computer resources (ex: computers, user
+ accounts) can act, and interact with each other, on a network. The policy of
+ the domain also includes configuration settings that may apply between domains
+ in a multi-domain/forest environment. Modifications to domain settings may include
+ altering domain Group Policy Objects (GPOs) or changing trust settings for domains,
+ including federation trusts.
+
+
+ With sufficient permissions, adversaries can modify domain policy settings.
+ Since domain configuration settings control many of the interactions within
+ the Active Directory (AD) environment, there are a great number of potential
+ attacks that can stem from this abuse. Examples of such abuse include modifying
+ GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)
+ to computers throughout the domain environment(Citation: ADSecurity GPO Persistence
+ 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)
+ or modifying domain trusts to include an adversary controlled domain where they
+ can control access tokens that will subsequently be accepted by victim domain
+ resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber
+ Attacks) Adversaries can also change configuration settings within the AD environment
+ to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).
+
+
+ Adversaries may temporarily modify domain policy, carry out a malicious action(s),
+ and then revert the change to remove suspicious indicators.
+
+ https://attack.mitre.org/techniques/T1484'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1220
+ name: T1220 - XSL Script Processing
+ provider: MITRE ATT&CK
+ description: "Adversaries may bypass application control and obscure execution\
+ \ of code by embedding scripts inside XSL files. Extensible Stylesheet Language\
+ \ (XSL) files are commonly used to describe the processing and rendering of\
+ \ data within XML files. To support complex operations, the XSL standard includes\
+ \ support for embedded scripting in various languages. (Citation: Microsoft\
+ \ XSLT Script Mar 2017)\n\nAdversaries may abuse this functionality to execute\
+ \ arbitrary files while potentially bypassing application control. Similar to\
+ \ [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127),\
+ \ the Microsoft common line transformation utility binary (msxsl.exe) (Citation:\
+ \ Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript\
+ \ embedded within local or remote (URL referenced) XSL files. (Citation: Penetration\
+ \ Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default,\
+ \ an adversary will likely need to package it with dropped files. (Citation:\
+ \ Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an\
+ \ XML source file and an XSL stylesheet. Since the XSL file is valid XML, the\
+ \ adversary may call the same XSL file twice. When using msxsl.exe adversaries\
+ \ may also give the XML/XSL files an arbitrary file extension.(Citation: XSL\
+ \ Bypass Mar 2019)\n\nCommand-line examples:(Citation: Penetration Testing Lab\
+ \ MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n\n* msxsl.exe customers[.]xml\
+ \ script[.]xsl
\n* msxsl.exe script[.]xsl script[.]xsl
\n\
+ * msxsl.exe script[.]jpeg script[.]jpeg
\n\nAnother variation of\
+ \ this technique, dubbed \u201CSquiblytwo\u201D, involves using [Windows Management\
+ \ Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript\
+ \ or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can\
+ \ also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/\
+ \ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries\
+ \ may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)\
+ \ provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\n\
+ \nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n\
+ \n* Local File: wmic process list /FORMAT:evil[.]xsl
\n* Remote\
+ \ File: wmic os get /FORMAT:\u201Dhttps[:]//example[.]com/evil[.]xsl\u201D\
+
\nhttps://attack.mitre.org/techniques/T1220"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1587
+ name: T1587 - Develop Capabilities
+ provider: MITRE ATT&CK
+ description: 'Adversaries may build capabilities that can be used during targeting.
+ Rather than purchasing, freely downloading, or stealing capabilities, adversaries
+ may develop their own capabilities in-house. This is the process of identifying
+ development requirements and building solutions such as malware, exploits, and
+ self-signed certificates. Adversaries may develop capabilities to support their
+ operations throughout numerous phases of the adversary lifecycle.(Citation:
+ Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity
+ June 2020)(Citation: Talos Promethium June 2020)
+
+
+ As with legitimate development efforts, different skill sets may be required
+ for developing capabilities. The skills needed may be located in-house, or may
+ need to be contracted out. Use of a contractor may be considered an extension
+ of that adversary''s development capabilities, provided the adversary plays
+ a role in shaping requirements and maintains a degree of exclusivity to the
+ capability.
+
+ https://attack.mitre.org/techniques/T1587'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1008
+ name: T1008 - Fallback Channels
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use fallback or alternate communication channels
+ if the primary channel is compromised or inaccessible in order to maintain reliable
+ command and control and to avoid data transfer thresholds.
+
+ https://attack.mitre.org/techniques/T1008'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1124
+ name: T1124 - System Time Discovery
+ provider: MITRE ATT&CK
+ description: 'An adversary may gather the system time and/or time zone from a
+ local or remote system. The system time is set and stored by the Windows Time
+ Service within a domain to maintain time synchronization between systems and
+ services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet
+ Windows Time Service)
+
+
+ System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039)
+ on Windows by performing net time \\hostname
to gather the system
+ time on a remote system. The victim''s time zone may also be inferred from the
+ current system time or gathered by using w32tm /tz
.(Citation: Technet
+ Windows Time Service)
+
+
+ On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+ commands such as `show clock detail` can be used to see the current time configuration.(Citation:
+ show_clock_detail_cisco_cmd)
+
+
+ This information could be useful for performing other techniques, such as executing
+ a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation:
+ RSA EU12 They''re Inside), or to discover locality information based on time
+ zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)).
+ Adversaries may also use knowledge of system time as part of a time bomb, or
+ delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
+
+ https://attack.mitre.org/techniques/T1124'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1556
+ name: T1556 - Modify Authentication Process
+ provider: MITRE ATT&CK
+ description: 'Adversaries may modify authentication mechanisms and processes to
+ access user credentials or enable otherwise unwarranted access to accounts.
+ The authentication process is handled by mechanisms, such as the Local Security
+ Authentication Server (LSASS) process and the Security Accounts Manager (SAM)
+ on Windows, pluggable authentication modules (PAM) on Unix-based systems, and
+ authorization plugins on MacOS systems, responsible for gathering, storing,
+ and validating credentials. By modifying an authentication process, an adversary
+ may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
+
+
+ Adversaries may maliciously modify a part of this process to either reveal credentials
+ or bypass authentication mechanisms. Compromised credentials or access may be
+ used to bypass access controls placed on various resources on systems within
+ the network and may even be used for persistent access to remote systems and
+ externally available services, such as VPNs, Outlook Web Access and remote desktop.
+
+ https://attack.mitre.org/techniques/T1556'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1495
+ name: T1495 - Firmware Corruption
+ provider: MITRE ATT&CK
+ description: 'Adversaries may overwrite or corrupt the flash memory contents of
+ system BIOS or other firmware in devices attached to a system in order to render
+ them inoperable or unable to boot, thus denying the availability to use the
+ devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is
+ software that is loaded and executed from non-volatile memory on hardware devices
+ in order to initialize and manage device functionality. These devices may include
+ the motherboard, hard drive, or video cards.
+
+
+ In general, adversaries may manipulate, overwrite, or corrupt firmware in order
+ to deny the use of the system or devices. For example, corruption of firmware
+ responsible for loading the operating system for network devices may render
+ the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation:
+ cisa_malware_orgs_ukraine) Depending on the device, this attack may also result
+ in [Data Destruction](https://attack.mitre.org/techniques/T1485).
+
+ https://attack.mitre.org/techniques/T1495'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1490
+ name: T1490 - Inhibit System Recovery
+ provider: MITRE ATT&CK
+ description: "Adversaries may delete or remove built-in data and turn off services\
+ \ designed to aid in the recovery of a corrupted system to prevent recovery.(Citation:\
+ \ Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny\
+ \ access to available backups and recovery options.\n\nOperating systems may\
+ \ contain features that can help fix corrupted systems, such as a backup catalog,\
+ \ volume shadow copies, and automatic repair features. Adversaries may disable\
+ \ or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485)\
+ \ and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation:\
+ \ Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore,\
+ \ adversaries may disable recovery notifications, then corrupt backups.(Citation:\
+ \ disable_notif_synology_ransom)\n\nA number of native Windows utilities have\
+ \ been used by adversaries to disable or delete system recovery features:\n\n\
+ * vssadmin.exe
can be used to delete all volume shadow copies on\
+ \ a system - vssadmin.exe delete shadows /all /quiet
\n* [Windows\
+ \ Management Instrumentation](https://attack.mitre.org/techniques/T1047) can\
+ \ be used to delete volume shadow copies - wmic shadowcopy delete
\n\
+ * wbadmin.exe
can be used to delete the Windows Backup Catalog\
+ \ - wbadmin.exe delete catalog -quiet
\n* bcdedit.exe
\
+ \ can be used to disable automatic Windows recovery features by modifying boot\
+ \ configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\
+ \ & bcdedit /set {default} recoveryenabled no
\n* REAgentC.exe
\
+ \ can be used to disable Windows Recovery Environment (WinRE) repair/recovery\
+ \ options of an infected system\n\nOn network devices, adversaries may leverage\
+ \ [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware\
+ \ images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529)\
+ \ to reload the device. Together this activity may leave network devices completely\
+ \ inoperable and inhibit recovery operations.\n\nAdversaries may also delete\
+ \ \u201Conline\u201D backups that are connected to their network \u2013 whether\
+ \ via network storage media or through folders that sync to cloud services.(Citation:\
+ \ ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable\
+ \ versioning and backup policies and delete snapshots, machine images, and prior\
+ \ versions of objects designed to be used in disaster recovery scenarios.(Citation:\
+ \ Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3\
+ \ Ransomware)\nhttps://attack.mitre.org/techniques/T1490"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1216
+ name: T1216 - System Script Proxy Execution
+ provider: MITRE ATT&CK
+ description: 'Adversaries may use trusted scripts, often signed with certificates,
+ to proxy the execution of malicious files. Several Microsoft signed scripts
+ that have been downloaded from Microsoft or are default on Windows installations
+ can be used to proxy execution of other files.(Citation: LOLBAS Project) This
+ behavior may be abused by adversaries to execute malicious files that could
+ bypass application control and signature validation on systems.(Citation: GitHub
+ Ultimate AppLocker Bypass List)
+
+ https://attack.mitre.org/techniques/T1216'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1211
+ name: T1211 - Exploitation for Defense Evasion
+ provider: MITRE ATT&CK
+ description: "Adversaries may exploit a system or application vulnerability to\
+ \ bypass security features. Exploitation of a vulnerability occurs when an adversary\
+ \ takes advantage of a programming error in a program, service, or within the\
+ \ operating system software or kernel itself to execute adversary-controlled\
+ \ code.\_Vulnerabilities may exist in defensive security software that can be\
+ \ used to disable or circumvent them.\n\nAdversaries may have prior knowledge\
+ \ through reconnaissance that security software exists within an environment\
+ \ or they may perform checks during or shortly after the system is compromised\
+ \ for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001).\
+ \ The security software will likely be targeted directly for exploitation. There\
+ \ are examples of antivirus software being targeted by persistent threat groups\
+ \ to avoid detection.\n\nThere have also been examples of vulnerabilities in\
+ \ public cloud infrastructure of SaaS applications that may bypass defense boundaries\
+ \ (Citation: Salesforce zero-day in facebook phishing attack), evade security\
+ \ logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden\
+ \ infrastructure.(Citation: GhostToken GCP flaw)\nhttps://attack.mitre.org/techniques/T1211"
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1127
+ name: T1127 - Trusted Developer Utilities Proxy Execution
+ provider: MITRE ATT&CK
+ description: 'Adversaries may take advantage of trusted developer utilities to
+ proxy execution of malicious payloads. There are many utilities used for software
+ development related tasks that can be used to execute code in various forms
+ to assist in development, debugging, and reverse engineering.(Citation: engima0x3
+ DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation:
+ LOLBAS Tracker) These utilities may often be signed with legitimate certificates
+ that allow them to execute on a system and proxy execution of malicious code
+ through a trusted process that effectively bypasses application control solutions.
+
+ https://attack.mitre.org/techniques/T1127'
+ version: '1.0'
+ - urn: urn:intuitem:risk:threat:mitre-attack:T1529
+ name: T1529 - System Shutdown/Reboot
+ provider: MITRE ATT&CK
+ description: 'Adversaries may shutdown/reboot systems to interrupt access to,
+ or aid in the destruction of, those systems. Operating systems may contain commands
+ to initiate a shutdown/reboot of a machine or network device. In some cases,
+ these commands may also be used to initiate a shutdown/reboot of a remote computer
+ or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+ (e.g. reload
).(Citation: Microsoft Shutdown Oct 2017)(Citation:
+ alert_TA18_106A)
+
+
+ Shutting down or rebooting systems may disrupt access to computer resources
+ for legitimate users while also impeding incident response/recovery.
+
+
+ Adversaries may attempt to shutdown/reboot a system after impacting it in other
+ ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002)
+ or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to
+ hasten the intended effects on system availability.(Citation: Talos Nyetya June
+ 2017)(Citation: Talos Olympic Destroyer 2018)
+
+ https://attack.mitre.org/techniques/T1529'
+ version: '1.0'
diff --git a/library/views.py b/library/views.py
index 4d013c2df6..d7c32d06c1 100644
--- a/library/views.py
+++ b/library/views.py
@@ -29,7 +29,7 @@ class LibraryListView(BaseContextMixin, FormView):
def get_queryset(self):
qs = get_available_libraries()
for lib in qs:
- lib['requirements'] = len(lib['objects'].get('framework').get('requirements')) if lib['objects'].get('framework').get('requirements') else 0
+ lib['requirements'] = len(lib['objects'].get('framework').get('requirements')) if lib['objects'].get('framework') else 0
lib['threats'] = len(lib['objects'].get('threats')) if lib['objects'].get('threats') else 0
lib['security_functions'] = len(lib['objects'].get('security_functions')) if lib['objects'].get('security_functions') else 0
lib['objects'].clear()