{ "name": "Influence Energy Level 1", "versions": { "attack": "15", "navigator": "5.1.0", "layer": "4.5" }, "domain": "enterprise-attack", "description": "Techniques that require Influence Energy Level 1", "filters": { "platforms": [ "Windows", "Linux", "macOS", "Network", "PRE", "Containers", "Office 365", "SaaS", "Google Workspace", "IaaS", "Azure AD" ] }, "sorting": 3, "layout": { "layout": "side", "aggregateFunction": "average", "showID": false, "showName": true, "showAggregateScores": false, "countUnscored": false, "expandedSubtechniques": "none" }, "hideDisabled": false, "techniques": [ { "techniqueID": "T1001", "tactic": "command-and-control", "score": 1, "color": "", "comment": "When choosing a C2 method, there are many public obfuscation capabilities.", "links": [ { "label": "example", "url": "Meterpreter HTTP comms" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1003", "tactic": "credential-access", "score": 1, "color": "", "comment": "Public tools exist to dump credentaisl from os assuming you have the right privileges", "links": [ { "label": "example", "url": "https://attack.mitre.org/software/S0002/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1005", "tactic": "collection", "score": 50, "color": "", "comment": "Any OS command that copies data from one place to another", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1006", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Using example strings to activate lolbin", "links": [ { "label": "example", "url": "https://lolbas-project.github.io/lolbas/Binaries/Esentutl/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1007", "tactic": "discovery", "score": 50, "color": "", "comment": "Slightly different commands", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1008", "tactic": "command-and-control", "score": 0, "color": "", "comment": "DNS Tunneling with your own domain", "links": [ { "label": "example", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1010", "tactic": "discovery", "score": 1, "color": "", "comment": "Get-Process mainWindowTitle", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1011", "tactic": "exfiltration", "score": 0, "color": "", "comment": "Known protocol like wifi network", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1012", "tactic": "discovery", "score": 1, "color": "", "comment": "reg.exe", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1014", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Setting environment variables to hook the dynamic linker", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1016", "tactic": "discovery", "score": 1, "color": "", "comment": "CLI tools like ipconfig or Get-NetIPConfiguration", "links": [ { "label": "example", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1018", "tactic": "discovery", "score": 1, "color": "", "comment": "CLI tools like show arp or ping", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1020", "tactic": "exfiltration", "score": 1, "color": "", "comment": "Meterpreter scripted upload", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1021", "tactic": "lateral-movement", "score": 50, "color": "", "comment": "Manually calling RDP from command line", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1025", "tactic": "collection", "score": 50, "color": "", "comment": "Any OS command that copies data from one place to another", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1027", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "base64 encoding", "links": [ { "label": "example", "url": "https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1029", "tactic": "exfiltration", "score": 0, "color": "", "comment": "Powershell empire lets you schedule file upload chunks", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1030", "tactic": "exfiltration", "score": 0, "color": "", "comment": "Cobalt strike uploads 512KB chunks each time", "links": [ { "label": "example", "url": "https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1033", "tactic": "discovery", "score": 50, "color": "", "comment": "Read environment variables", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1036", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Renaming payload to something else", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1037", "tactic": "persistence", "score": 1, "color": "", "comment": "HKCU\\Environment\\UserInitMprLogonScript", "links": [ { "label": "example", "url": "https://blog.morphisec.com/cobalt-gang-2.0" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1037", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "HKCU\\Environment\\UserInitMprLogonScript", "links": [ { "label": "example", "url": "https://blog.morphisec.com/cobalt-gang-2.0" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1039", "tactic": "collection", "score": 50, "color": "", "comment": "Any OS command that copies data from one place to another", "links": [ { "label": "example", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1040", "tactic": "credential-access", "score": 1, "color": "", "comment": "tcpdump", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1040", "tactic": "discovery", "score": 1, "color": "", "comment": "tcpdump", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1041", "tactic": "exfiltration", "score": 0, "color": "", "comment": "Transfer with open source method", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1046", "tactic": "discovery", "score": 1, "color": "", "comment": "nmap", "links": [ { "label": "example", "url": "https://nmap.org/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1047", "tactic": "execution", "score": 1, "color": "", "comment": "Public invokation of wmic.exe", "links": [ { "label": "example", "url": "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1048", "tactic": "exfiltration", "score": 0, "color": "", "comment": "Transfer with open source method", "links": [ { "label": "example", "url": "https://o365blog.com/aadinternals" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1049", "tactic": "discovery", "score": 1, "color": "", "comment": "netstat", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1052", "tactic": "exfiltration", "score": 0, "color": "", "comment": "well-known file structure on medium", "links": [ { "label": "example", "url": "https://securelist.com/agent-btz-a-source-of-inspiration/58551/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "execution", "score": 1, "color": "", "comment": "Using well-known invocation", "links": [ { "label": "example", "url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "persistence", "score": 1, "color": "", "comment": "Using well-known invocation", "links": [ { "label": "example", "url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "Using well-known invocation", "links": [ { "label": "example", "url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "meterpreter migrate", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "meterpreter migrate", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1056", "tactic": "collection", "score": 0, "color": "", "comment": "Meterpreter keyscanner", "links": [ { "label": "example", "url": "https://www.offsec.com/metasploit-unleashed/keylogging/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1056", "tactic": "credential-access", "score": 0, "color": "", "comment": "Meterpreter keyscanner", "links": [ { "label": "example", "url": "https://www.offsec.com/metasploit-unleashed/keylogging/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1057", "tactic": "discovery", "score": 1, "color": "", "comment": "`Get-Process` or similar OS command", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1059", "tactic": "execution", "score": 1, "color": "", "comment": "typing cli commands", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1068", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "Known exploits", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1069", "tactic": "discovery", "score": 1, "color": "", "comment": "net group", "links": [ { "label": "example", "url": "https://web.archive.org/web/20170718174931/https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1070", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Clearing windows event logs with `wevtutil cl System`", "links": [ { "label": "example", "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1071", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Using something like http communications from open source library", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1072", "tactic": "execution", "score": 0, "color": "", "comment": "Something like remoteexec", "links": [ { "label": "example", "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1072", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "Something like remoteexec", "links": [ { "label": "example", "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1074", "tactic": "collection", "score": 50, "color": "", "comment": "Copying data to C:\\Users\\Public", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "initial-access", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "persistence", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1080", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "Known content infection method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1082", "tactic": "discovery", "score": 50, "color": "", "comment": "Query web APIs to determine attributes", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1083", "tactic": "discovery", "score": 1, "color": "", "comment": "dir /s", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1087", "tactic": "discovery", "score": 1, "color": "", "comment": "Account discovery commands associated with threat actor", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1090", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Use public SOCKS proxies", "links": [ { "label": "example", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1091", "tactic": "initial-access", "score": 0, "color": "", "comment": "Known auto run malicious file", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1091", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "Known auto run malicious file", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1092", "tactic": "command-and-control", "score": 0, "color": "", "comment": "Open source software for communicating over mass storage devices", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1095", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Raw netcat shells", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1098", "tactic": "persistence", "score": 1, "color": "", "comment": "Known suspicious changes", "links": [ { "label": "example", "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1098", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "Known suspicious changes", "links": [ { "label": "example", "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1102", "tactic": "command-and-control", "score": 0, "color": "", "comment": "Pastebin for c2", "links": [ { "label": "example", "url": "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1104", "tactic": "command-and-control", "score": 1, "color": "", "comment": "meterpreter staged payload", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1105", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Download via c2", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1106", "tactic": "execution", "score": 0, "color": "", "comment": "Using simple API calls to evoke shell commands", "links": [ { "label": "example", "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1110", "tactic": "credential-access", "score": 1, "color": "", "comment": "Using known word lists", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1111", "tactic": "credential-access", "score": 0, "color": "", "comment": "Replay old tokens hoping for approval", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1112", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Using APIs to edit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1113", "tactic": "collection", "score": 0, "color": "", "comment": "Plugin to capture screenshots", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1114", "tactic": "collection", "score": 1, "color": "", "comment": "Email forwarding rule", "links": [ { "label": "example", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-301a" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1115", "tactic": "collection", "score": 50, "color": "", "comment": "Renaming clipboard access tools", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1119", "tactic": "collection", "score": 1, "color": "", "comment": "Known script to collect information", "links": [ { "label": "example", "url": "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1120", "tactic": "discovery", "score": 1, "color": "", "comment": "fsutil fsinfo drives", "links": [ { "label": "example", "url": "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1123", "tactic": "collection", "score": 1, "color": "", "comment": "Builtin tools to capture audio", "links": [ { "label": "example", "url": "https://github.com/PowerShellMafia/PowerSploit" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1124", "tactic": "discovery", "score": 1, "color": "", "comment": "net time \\\\127.0.0.1", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1125", "tactic": "collection", "score": 0, "color": "", "comment": "Empire webcam module", "links": [ { "label": "example", "url": "https://github.com/PowerShellEmpire/Empire" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1127", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Modules that use MSBuild.exe", "links": [ { "label": "example", "url": "https://github.com/PowerShellEmpire/Empire" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1129", "tactic": "execution", "score": 0, "color": "", "comment": "Public way of loading a dll", "links": [ { "label": "example", "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1132", "tactic": "command-and-control", "score": 1, "color": "", "comment": "well known encoding like base64", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1133", "tactic": "initial-access", "score": 50, "color": "", "comment": "Log into external service from different IP address", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1133", "tactic": "persistence", "score": 50, "color": "", "comment": "Log into external service from different IP address", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1134", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "open source method of stealing tokens", "links": [ { "label": "example", "url": "https://github.com/PowerShellMafia/PowerSploit" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1134", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "open source method of stealing tokens", "links": [ { "label": "example", "url": "https://github.com/PowerShellMafia/PowerSploit" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1135", "tactic": "discovery", "score": 50, "color": "", "comment": "Custom call to NetShareEnum", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1136", "tactic": "persistence", "score": 50, "color": "", "comment": "Different form of administrator command", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1137", "tactic": "persistence", "score": 1, "color": "", "comment": "Known malicious method", "links": [ { "label": "example", "url": "https://github.com/sensepost/ruler" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1140", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Simple decoding like base64", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1176", "tactic": "persistence", "score": 50, "color": "", "comment": "Modified bad extensions", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1185", "tactic": "collection", "score": 0, "color": "", "comment": "Custom browser modules to steal data", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1187", "tactic": "credential-access", "score": 0, "color": "", "comment": "LNK file icon with remote resource", "links": [ { "label": "example", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1189", "tactic": "initial-access", "score": 0, "color": "", "comment": "Using altered client-side exploit", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1190", "tactic": "initial-access", "score": 1, "color": "", "comment": "Using known exploit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1195", "tactic": "initial-access", "score": 0, "color": "", "comment": "Inserting known malware into a software supply chain", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "utility base modification of bits database", "links": [ { "label": "example", "url": "https://attack.mitre.org/software/S0190" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "persistence", "score": 1, "color": "", "comment": "utility base modification of bits database", "links": [ { "label": "example", "url": "https://attack.mitre.org/software/S0190" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1199", "tactic": "initial-access", "score": 0, "color": "", "comment": "Acquiring access through company with known bad associations", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1200", "tactic": "initial-access", "score": 0, "color": "", "comment": "Known hacker hardware like rubber ducky", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1201", "tactic": "discovery", "score": 50, "color": "", "comment": "CrackMapExec", "links": [ { "label": "example", "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1202", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "forfiles", "links": [ { "label": "example", "url": "https://twitter.com/vector_sec/status/896049052642533376" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1203", "tactic": "execution", "score": 0, "color": "", "comment": "known exploits", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1204", "tactic": "execution", "score": 50, "color": "", "comment": "Obfuscating the command you tell someone to run", "links": [ { "label": "example", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "command-and-control", "score": 0, "color": "", "comment": "Reverse shell triggered by specific packets", "links": [ { "label": "example", "url": "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Reverse shell triggered by specific packets", "links": [ { "label": "example", "url": "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "persistence", "score": 0, "color": "", "comment": "Reverse shell triggered by specific packets", "links": [ { "label": "example", "url": "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1207", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Altering mimikatz", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1210", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "Adaptations of known exploits", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1211", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "altered form of public code", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1212", "tactic": "credential-access", "score": 0, "color": "", "comment": "Known exploit that requires some target knowledge", "links": [ { "label": "example", "url": "https://www.bugcrowd.com/glossary/replay-attack/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1213", "tactic": "collection", "score": 1, "color": "", "comment": "Web / database scrapers", "links": [ { "label": "example", "url": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1216", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Well known invocation of lolbin", "links": [ { "label": "example", "url": "https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1217", "tactic": "discovery", "score": 1, "color": "", "comment": "open source method", "links": [ { "label": "example", "url": "https://github.com/PowerShellEmpire/Empire" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1218", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Invokation of binary to exec script", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1219", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Log in via ssh", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1220", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Well-known calling of msxsl.exe", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1221", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Open source injection tool", "links": [ { "label": "example", "url": "https://github.com/ryhanson/phishery" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1222", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Altered form of modifying permissions", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1480", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Per target alterations of payloads", "links": [ { "label": "example", "url": "https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1482", "tactic": "discovery", "score": 1, "color": "", "comment": "open source method", "links": [ { "label": "example", "url": "https://github.com/PowerShellEmpire/Empire" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1484", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "GPO to push known TTP", "links": [ { "label": "example", "url": "https://wald0.com/?p=179" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1484", "tactic": "privilege-escalation", "score": 0, "color": "", "comment": "GPO to push known TTP", "links": [ { "label": "example", "url": "https://wald0.com/?p=179" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1485", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1486", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1489", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1490", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1491", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1495", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1496", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1497", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Query OS for hardware data", "links": [ { "label": "example", "url": "https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1497", "tactic": "discovery", "score": 1, "color": "", "comment": "Query OS for hardware data", "links": [ { "label": "example", "url": "https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1498", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1499", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1505", "tactic": "persistence", "score": 1, "color": "", "comment": "Known malicious software components", "links": [ { "label": "example", "url": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1518", "tactic": "discovery", "score": 1, "color": "", "comment": "cmd.exe WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List", "links": [ { "label": "example", "url": "https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1525", "tactic": "persistence", "score": 0, "color": "", "comment": "Open source implant toolkit", "links": [ { "label": "example", "url": "https://github.com/RhinoSecurityLabs/ccat" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1526", "tactic": "discovery", "score": 1, "color": "", "comment": "open source method", "links": [ { "label": "example", "url": "https://aadinternals.com/aadinternals/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1528", "tactic": "credential-access", "score": 0, "color": "", "comment": "Dumping of tokens abusing existingi access", "links": [ { "label": "example", "url": "https://www.inguardians.com/peirates/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1529", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1530", "tactic": "collection", "score": 1, "color": "", "comment": "Mass Scrapers", "links": [ { "label": "example", "url": "https://aadinternals.com/aadinternals/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1531", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1534", "tactic": "lateral-movement", "score": 50, "color": "", "comment": "Altered forms of known phish templates", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1535", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Deploying resources in a region with lower logging thresholds", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1537", "tactic": "exfiltration", "score": 1, "color": "", "comment": "Using known bad cloud account", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1538", "tactic": "discovery", "score": 50, "color": "", "comment": "Log in matching pattern of existing accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1539", "tactic": "credential-access", "score": 0, "color": "", "comment": "Steal cookies from disk", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1542", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Custom UEFI Firmware", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1542", "tactic": "persistence", "score": 0, "color": "", "comment": "Custom UEFI Firmware", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1543", "tactic": "persistence", "score": 1, "color": "", "comment": "Known malicious service", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1543", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "Known malicious service", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1546", "tactic": "persistence", "score": 1, "color": "", "comment": "Known malicious event trigger", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1546", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "Known malicious event trigger", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1547", "tactic": "persistence", "score": 1, "color": "", "comment": "Known malicious startup task", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1547", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "Known malicious startup task", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1548", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Known elevation bypass", "links": [ { "label": "example", "url": "https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1548", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "Known elevation bypass", "links": [ { "label": "example", "url": "https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1550", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "pass the hash", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1550", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "pass the hash", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1552", "tactic": "credential-access", "score": 1, "color": "", "comment": "Group policy preferences", "links": [ { "label": "example", "url": "https://github.com/PowerShellMafia/PowerSploit" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1553", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Using something like .iso files to avoid mark-of-the-web", "links": [ { "label": "example", "url": "https://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1554", "tactic": "persistence", "score": 0, "color": "", "comment": "Known trojan template", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1555", "tactic": "credential-access", "score": 1, "color": "", "comment": "Grabbing files from known password stores with OS tools", "links": [ { "label": "example", "url": "https://github.com/gentilkiwi/mimikatz" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "credential-access", "score": 0, "color": "", "comment": "trojanized function in known way", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "trojanized function in known way", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "persistence", "score": 0, "color": "", "comment": "trojanized function in known way", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1557", "tactic": "collection", "score": 0, "color": "", "comment": "cache poisoning", "links": [ { "label": "example", "url": "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1557", "tactic": "credential-access", "score": 0, "color": "", "comment": "cache poisoning", "links": [ { "label": "example", "url": "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1558", "tactic": "credential-access", "score": 0, "color": "", "comment": "Kerberoasting", "links": [ { "label": "example", "url": "https://attack.mitre.org/techniques/T1558/003/" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1559", "tactic": "execution", "score": 0, "color": "", "comment": "Open source IPC abuse", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1560", "tactic": "collection", "score": 1, "color": "", "comment": "Archive via utility", "links": [ { "label": "example", "url": "https://www.secureworks.com/research/threat-profiles/gold-sahara" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1561", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1562", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Disable logging", "links": [ { "label": "example", "url": "https://www.secureworks.com/research/bronze-union" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1563", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "Known commands that are suspicious", "links": [ { "label": "example", "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1564", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Known hiding methods ", "links": [ { "label": "example", "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1565", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1566", "tactic": "initial-access", "score": 100, "color": "", "comment": "Target-specific email", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1567", "tactic": "exfiltration", "score": 1, "color": "", "comment": "Using known bad web service or account", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1568", "tactic": "command-and-control", "score": 0, "color": "", "comment": "technique like domain name generation", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1569", "tactic": "execution", "score": 1, "color": "", "comment": "Using psexec to execute a service", "links": [ { "label": "example", "url": "https://github.com/PowerShellEmpire/Empire" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1570", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "Known commands that are suspicious", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1571", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Using port associated with malware like 4444", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1572", "tactic": "command-and-control", "score": 0, "color": "", "comment": "SSH Tunneling", "links": [ { "label": "example", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1573", "tactic": "command-and-control", "score": 0, "color": "", "comment": "Public algorithm with static key", "links": [ { "label": "example", "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Known hijacking implementation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "persistence", "score": 1, "color": "", "comment": "Known hijacking implementation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "Known hijacking implementation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1578", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Known cloud modifications", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1580", "tactic": "discovery", "score": 1, "color": "", "comment": "Open source tools", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1583", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1584", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1585", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1586", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1587", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1588", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1589", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1590", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1591", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1592", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1593", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1594", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1595", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1596", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1597", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1598", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1599", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Disable boundary filtering entirely", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1600", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Change VPN appliance settings to null cipher", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1601", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Known method of modification", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1602", "tactic": "collection", "score": 1, "color": "", "comment": "configuration walker utility", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1606", "tactic": "credential-access", "score": 0, "color": "", "comment": "Using known broken signing method", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1608", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1609", "tactic": "execution", "score": 1, "color": "", "comment": "Known bad form of administration command", "links": [ { "label": "example", "url": "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1610", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Known malicious container", "links": [ { "label": "example", "url": "https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1610", "tactic": "execution", "score": 1, "color": "", "comment": "Known malicious container", "links": [ { "label": "example", "url": "https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1611", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "Known container breakout method", "links": [ { "label": "example", "url": "https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1612", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Known malicious container build", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1613", "tactic": "discovery", "score": 1, "color": "", "comment": "Open source tools", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1614", "tactic": "discovery", "score": 50, "color": "", "comment": "IP geolocation", "links": [ { "label": "example", "url": "https://www.secureworks.com/research/threat-profiles/gold-prelude" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1615", "tactic": "discovery", "score": 1, "color": "", "comment": "open source method", "links": [ { "label": "example", "url": "https://github.com/PowerShellEmpire/Empire" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1619", "tactic": "discovery", "score": 1, "color": "", "comment": "Open source tools", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1620", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Open source method of reflective loading", "links": [ { "label": "example", "url": "https://github.com/PowerShellMafia/PowerSploit" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1621", "tactic": "credential-access", "score": 1, "color": "", "comment": "triggering many requests for fatigue", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/russian-targeting-gov-business" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1622", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Known function calls like `IsDebuggerPresent()`", "links": [ { "label": "example", "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1622", "tactic": "discovery", "score": 0, "color": "", "comment": "Known function calls like `IsDebuggerPresent()`", "links": [ { "label": "example", "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1647", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Known malicious plist file", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1648", "tactic": "execution", "score": 0, "color": "", "comment": "Open source commands", "links": [ { "label": "example", "url": "https://github.com/RhinoSecurityLabs/pacu" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1649", "tactic": "credential-access", "score": 1, "color": "", "comment": "Steal certificates with known tool", "links": [ { "label": "example", "url": "https://aadinternals.com/aadinternals/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1650", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1651", "tactic": "execution", "score": 1, "color": "", "comment": "Known bad form of administration command", "links": [ { "label": "example", "url": "https://github.com/RhinoSecurityLabs/pacu" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1652", "tactic": "discovery", "score": 1, "color": "", "comment": "open source method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1653", "tactic": "persistence", "score": 50, "color": "", "comment": "Modifying the system to prevent certain power actions", "links": [ { "label": "example", "url": "https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1654", "tactic": "discovery", "score": 1, "color": "", "comment": "Open source tools", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1656", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Common impersonation like IT", "links": [ { "label": "example", "url": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1657", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1659", "tactic": "command-and-control", "score": 0, "color": "", "comment": "falsify server responses for something like dns", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1659", "tactic": "initial-access", "score": 0, "color": "", "comment": "falsify server responses for something like dns", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1665", "tactic": "command-and-control", "score": 0, "color": "", "comment": "use vpn", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false } ], "gradient": { "colors": [ "#cad4daff", "#3182bdff" ], "minValue": 0, "maxValue": 100 }, "legendItems": [], "metadata": [ { "name": "version", "value": "1.0" }, { "name": "author", "value": "Optimizer LLC" }, { "name": "date", "value": "2024-09-22" } ], "links": [ { "label": "Influence Energy", "url": "https://www.optimizer.llc" }, { "label": "Source Repository", "url": "'https://github.com/BoogleCloud/influence-energy'" } ], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": false, "selectVisibleTechniques": false }