{ "name": "Influence Energy Level 2", "versions": { "attack": "15", "navigator": "5.1.0", "layer": "4.5" }, "domain": "enterprise-attack", "description": "Techniques that require Influence Energy Level 2", "filters": { "platforms": [ "Windows", "Linux", "macOS", "Network", "PRE", "Containers", "Office 365", "SaaS", "Google Workspace", "IaaS", "Azure AD" ] }, "sorting": 3, "layout": { "layout": "side", "aggregateFunction": "average", "showID": false, "showName": true, "showAggregateScores": false, "countUnscored": false, "expandedSubtechniques": "none" }, "hideDisabled": false, "techniques": [ { "techniqueID": "T1001", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Modifying a public data obfuscation method would require knowledge of the underlying protocol and implementation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1003", "tactic": "credential-access", "score": 50, "color": "", "comment": "Embedding pieces of mimikatz code as a plugin in another tool", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1005", "tactic": "collection", "score": 100, "color": "", "comment": "Commands that mimic target backup strategies", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1006", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Modifying the command to copy in a slightly different way", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1007", "tactic": "discovery", "score": 100, "color": "", "comment": "Malware that can call functions directly", "links": [ { "label": "example", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1008", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Something like a hardcoded secondary domain", "links": [ { "label": "example", "url": "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1010", "tactic": "discovery", "score": 50, "color": "", "comment": "GetForegroundWindow", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1011", "tactic": "exfiltration", "score": 0, "color": "", "comment": "Known protocol with environment-alteration", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1012", "tactic": "discovery", "score": 50, "color": "", "comment": "Use Windows APIs", "links": [ { "label": "example", "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1014", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Setting environment variables to hook the dynamic linker", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1016", "tactic": "discovery", "score": 50, "color": "", "comment": "Calling API commands", "links": [ { "label": "example", "url": "https://www.cybereason.com/blog/royal-ransomware-analysis" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1018", "tactic": "discovery", "score": 50, "color": "", "comment": "Looking at persistent connections", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1020", "tactic": "exfiltration", "score": 50, "color": "", "comment": "Changing the script", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1021", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Custom tool for creating remote connections", "links": [ { "label": "example", "url": "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1025", "tactic": "collection", "score": 100, "color": "", "comment": "Commands that mimic target backup strategies", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1027", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Multilayer encoding", "links": [ { "label": "example", "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1029", "tactic": "exfiltration", "score": 1, "color": "", "comment": "Powershell empire lets you schedule file upload chunks", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1030", "tactic": "exfiltration", "score": 1, "color": "", "comment": "Cobalt strike uploads 512KB chunks each time", "links": [ { "label": "example", "url": "https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1033", "tactic": "discovery", "score": 100, "color": "", "comment": "Custom function calling getlogin() or similar", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1036", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Matching filenames on the compromised system", "links": [ { "label": "example", "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1037", "tactic": "persistence", "score": 50, "color": "", "comment": "Custom init.d script", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1037", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Custom init.d script", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1039", "tactic": "collection", "score": 100, "color": "", "comment": "Commands that mimic target backup strategies", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1040", "tactic": "credential-access", "score": 50, "color": "", "comment": "Hook network APIs", "links": [ { "label": "example", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1040", "tactic": "discovery", "score": 50, "color": "", "comment": "Hook network APIs", "links": [ { "label": "example", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1041", "tactic": "exfiltration", "score": 1, "color": "", "comment": "Transfer with open source method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1046", "tactic": "discovery", "score": 50, "color": "", "comment": "Malware module for scanning", "links": [ { "label": "example", "url": "https://github.com/n1nj4sec/pupy" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1047", "tactic": "execution", "score": 50, "color": "", "comment": "Different way of calling wmic", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1048", "tactic": "exfiltration", "score": 1, "color": "", "comment": "Transfer with open source method", "links": [ { "label": "example", "url": "https://o365blog.com/aadinternals" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1049", "tactic": "discovery", "score": 50, "color": "", "comment": "Discovery functions in malware", "links": [ { "label": "example", "url": "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1052", "tactic": "exfiltration", "score": 0, "color": "", "comment": "Custom file structure on medium", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "execution", "score": 50, "color": "", "comment": "Creating your own invocation of scheduled task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "persistence", "score": 50, "color": "", "comment": "Creating your own invocation of scheduled task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Creating your own invocation of scheduled task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Calling API functions", "links": [ { "label": "example", "url": "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Calling API functions", "links": [ { "label": "example", "url": "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1056", "tactic": "collection", "score": 1, "color": "", "comment": "Meterpreter keyscanner", "links": [ { "label": "example", "url": "https://www.offsec.com/metasploit-unleashed/keylogging/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1056", "tactic": "credential-access", "score": 1, "color": "", "comment": "Meterpreter keyscanner", "links": [ { "label": "example", "url": "https://www.offsec.com/metasploit-unleashed/keylogging/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1057", "tactic": "discovery", "score": 50, "color": "", "comment": "Malware module for scanning", "links": [ { "label": "example", "url": "https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1059", "tactic": "execution", "score": 50, "color": "", "comment": "writing scripts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1068", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "Known exploits", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1069", "tactic": "discovery", "score": 50, "color": "", "comment": "Malware function for groups", "links": [ { "label": "example", "url": "https://cloud.google.com/blog/topics/threat-intelligence/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1070", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Clearing artifacts that specific malware writes", "links": [ { "label": "example", "url": "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1071", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Modified http communication process", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1072", "tactic": "execution", "score": 0, "color": "", "comment": "Hijack group policy", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1072", "tactic": "lateral-movement", "score": 0, "color": "", "comment": "Hijack group policy", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1074", "tactic": "collection", "score": 100, "color": "", "comment": "Using environment-specific data stores", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "initial-access", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "persistence", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1080", "tactic": "lateral-movement", "score": 50, "color": "", "comment": "Customized content infection", "links": [ { "label": "example", "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1082", "tactic": "discovery", "score": 50, "color": "", "comment": "Query web APIs to determine attributes", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1083", "tactic": "discovery", "score": 50, "color": "", "comment": "Malware function for groups", "links": [ { "label": "example", "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1087", "tactic": "discovery", "score": 50, "color": "", "comment": "Different account discovery commands", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1090", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Turn victim systems into proxies", "links": [ { "label": "example", "url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1091", "tactic": "initial-access", "score": 1, "color": "", "comment": "Known auto run malicious file", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1091", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "Known auto run malicious file", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1092", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Open source software for communicating over mass storage devices", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1095", "tactic": "command-and-control", "score": 50, "color": "", "comment": "ICMP to communicate", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1098", "tactic": "persistence", "score": 50, "color": "", "comment": "Different forms of changes", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1098", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Different forms of changes", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1102", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Pastebin for c2", "links": [ { "label": "example", "url": "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1104", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Multi-staged malware", "links": [ { "label": "example", "url": "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1105", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Download via basic URL", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1106", "tactic": "execution", "score": 1, "color": "", "comment": "Using simple API calls to evoke shell commands", "links": [ { "label": "example", "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1110", "tactic": "credential-access", "score": 50, "color": "", "comment": "Using modified word list", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1111", "tactic": "credential-access", "score": 1, "color": "", "comment": "Replay old tokens hoping for approval", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1112", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Using direct file access to edit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1113", "tactic": "collection", "score": 1, "color": "", "comment": "Metasploit Screenspy", "links": [ { "label": "example", "url": "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/windows/gather/screen_spy.md" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1114", "tactic": "collection", "score": 50, "color": "", "comment": "Logging in with compromised credentials and downloading data", "links": [ { "label": "example", "url": "https://blog.certfa.com/posts/charming-kitten-christmas-gift/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1115", "tactic": "collection", "score": 100, "color": "", "comment": "Scraping memory for clipboard", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1119", "tactic": "collection", "score": 50, "color": "", "comment": "Custom configuration of script that looks at common OS locations", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1120", "tactic": "discovery", "score": 50, "color": "", "comment": "Malware module for scanning", "links": [ { "label": "example", "url": "https://web-assets.esetstatic.com/wls/2016/05/Operation-Groundbait.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1123", "tactic": "collection", "score": 50, "color": "", "comment": "Custom tools to capture audio", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1124", "tactic": "discovery", "score": 50, "color": "", "comment": "Use Windows APIs", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1125", "tactic": "collection", "score": 1, "color": "", "comment": "Empire webcam module", "links": [ { "label": "example", "url": "https://github.com/PowerShellEmpire/Empire" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1127", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Modules that use MSBuild.exe", "links": [ { "label": "example", "url": "https://github.com/PowerShellEmpire/Empire" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1129", "tactic": "execution", "score": 1, "color": "", "comment": "Public way of loading a dll", "links": [ { "label": "example", "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1132", "tactic": "command-and-control", "score": 50, "color": "", "comment": "modifications to well known encoding", "links": [ { "label": "example", "url": "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1133", "tactic": "initial-access", "score": 100, "color": "", "comment": "Log into service from trusted ip address", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1133", "tactic": "persistence", "score": 100, "color": "", "comment": "Log into service from trusted ip address", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1134", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Modified version of stealing/create tokens", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1134", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Modified version of stealing/create tokens", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1135", "tactic": "discovery", "score": 100, "color": "", "comment": "Custom tool that queries remote hosts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1136", "tactic": "persistence", "score": 100, "color": "", "comment": "Target-specific account creation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1137", "tactic": "persistence", "score": 50, "color": "", "comment": "Different form of malicious method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1140", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Advanced decoding like using certutil", "links": [ { "label": "example", "url": "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1176", "tactic": "persistence", "score": 100, "color": "", "comment": "New extension with hidden malicious content", "links": [ { "label": "example", "url": "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1185", "tactic": "collection", "score": 1, "color": "", "comment": "Known modules that inject into browsers", "links": [ { "label": "example", "url": "https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1187", "tactic": "credential-access", "score": 1, "color": "", "comment": "Open login window for users to enter creds", "links": [ { "label": "example", "url": "https://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1189", "tactic": "initial-access", "score": 1, "color": "", "comment": "Using known client-side exploit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1190", "tactic": "initial-access", "score": 50, "color": "", "comment": "altered form of known exploit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1195", "tactic": "initial-access", "score": 0, "color": "", "comment": "Inserting custom malware into software supply chain", "links": [ { "label": "example", "url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Custom interaction with the bits database", "links": [ { "label": "example", "url": "https://www.intrinsec.com/egregor-prolock/?cn-reloaded=1" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "persistence", "score": 50, "color": "", "comment": "Custom interaction with the bits database", "links": [ { "label": "example", "url": "https://www.intrinsec.com/egregor-prolock/?cn-reloaded=1" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1199", "tactic": "initial-access", "score": 1, "color": "", "comment": "Acquiring access through company with known bad associations", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1200", "tactic": "initial-access", "score": 0, "color": "", "comment": "Known hacker hardware like rubber ducky", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1201", "tactic": "discovery", "score": 50, "color": "", "comment": "CrackMapExec", "links": [ { "label": "example", "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1202", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Windows subsystem for Linux invokations", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1203", "tactic": "execution", "score": 1, "color": "", "comment": "known exploits", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1204", "tactic": "execution", "score": 100, "color": "", "comment": "Putting a file for execution in an org-specific place it will be executed", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Wake on LAN", "links": [ { "label": "example", "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Wake on LAN", "links": [ { "label": "example", "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "persistence", "score": 1, "color": "", "comment": "Wake on LAN", "links": [ { "label": "example", "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1207", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Mimikatz LSADUMP::DCShadow", "links": [ { "label": "example", "url": "https://github.com/gentilkiwi/mimikatz" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1210", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "Known exploit", "links": [ { "label": "example", "url": "https://web-assets.esetstatic.com/wls/2020/06/ESET_InvisiMole.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1211", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Public exploit code", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1212", "tactic": "credential-access", "score": 1, "color": "", "comment": "Known exploit", "links": [ { "label": "example", "url": "https://adsecurity.org/?p=1515" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1213", "tactic": "collection", "score": 50, "color": "", "comment": "Modified scrapers to look for data of interest", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1216", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Well known invocation of lolbin", "links": [ { "label": "example", "url": "https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1217", "tactic": "discovery", "score": 50, "color": "", "comment": "Custom filesystem enumeration command", "links": [ { "label": "example", "url": "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1218", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Different way of calling binary", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1219", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Install teamviewer on target", "links": [ { "label": "example", "url": "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1220", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Different way of calling msxsl.exe", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1221", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Open source injection tool", "links": [ { "label": "example", "url": "https://github.com/ryhanson/phishery" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1222", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel way of modifying permissions", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1480", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Specific execution flags", "links": [ { "label": "example", "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1482", "tactic": "discovery", "score": 50, "color": "", "comment": "Custom filesystem enumeration command", "links": [ { "label": "example", "url": "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1484", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "GPO to push known TTP", "links": [ { "label": "example", "url": "https://wald0.com/?p=179" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1484", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "GPO to push known TTP", "links": [ { "label": "example", "url": "https://wald0.com/?p=179" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1485", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1486", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1489", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1490", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1491", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1495", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1496", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1497", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Check for user activity like mouse movements", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1497", "tactic": "discovery", "score": 50, "color": "", "comment": "Check for user activity like mouse movements", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1498", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1499", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1505", "tactic": "persistence", "score": 50, "color": "", "comment": "Modified malicious software components", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1518", "tactic": "discovery", "score": 50, "color": "", "comment": "Query registry for installed applications", "links": [ { "label": "example", "url": "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1525", "tactic": "persistence", "score": 1, "color": "", "comment": "Open source implant toolkit", "links": [ { "label": "example", "url": "https://github.com/RhinoSecurityLabs/ccat" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1526", "tactic": "discovery", "score": 50, "color": "", "comment": "Custom filesystem enumeration command", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1528", "tactic": "credential-access", "score": 1, "color": "", "comment": "Dumping of tokens abusing existingi access", "links": [ { "label": "example", "url": "https://www.inguardians.com/peirates/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1529", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1530", "tactic": "collection", "score": 50, "color": "", "comment": "Modified scrapers to look for data of interest", "links": [ { "label": "example", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1531", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1534", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Target-specific messages", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1535", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Deploying in a region that specifically avoids this target's monitoring", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1537", "tactic": "exfiltration", "score": 50, "color": "", "comment": "Using different cloud account", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1538", "tactic": "discovery", "score": 100, "color": "", "comment": "Log in from existing computer", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1539", "tactic": "credential-access", "score": 1, "color": "", "comment": "Man-in-the-middle proxy", "links": [ { "label": "example", "url": "https://github.com/kgretzky/evilginx2" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1542", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "MBR bootkit", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1542", "tactic": "persistence", "score": 0, "color": "", "comment": "MBR bootkit", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html" } ], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1543", "tactic": "persistence", "score": 50, "color": "", "comment": "Altered malicious service", "links": [ { "label": "example", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1543", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Altered malicious service", "links": [ { "label": "example", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1546", "tactic": "persistence", "score": 50, "color": "", "comment": "Altered form of known malicious trigger", "links": [ { "label": "example", "url": "https://github.com/RhinoSecurityLabs/pacu" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1546", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Altered form of known malicious trigger", "links": [ { "label": "example", "url": "https://github.com/RhinoSecurityLabs/pacu" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1547", "tactic": "persistence", "score": 50, "color": "", "comment": "Altered form of malicious startup task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1547", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Altered form of malicious startup task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1548", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Altered form of bypass", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1548", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Altered form of bypass", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1550", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "pass the hash", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1550", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "pass the hash", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1552", "tactic": "credential-access", "score": 50, "color": "", "comment": "Search chat history or code repositories", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1553", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Using something like .iso files to avoid mark-of-the-web", "links": [ { "label": "example", "url": "https://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1554", "tactic": "persistence", "score": 1, "color": "", "comment": "Known trojan template", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1555", "tactic": "credential-access", "score": 50, "color": "", "comment": "Grabbing files with altered tools", "links": [ { "label": "example", "url": "https://github.com/AlessandroZ/LaZagne" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "credential-access", "score": 1, "color": "", "comment": "trojanized function in known way", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "trojanized function in known way", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "persistence", "score": 1, "color": "", "comment": "trojanized function in known way", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1557", "tactic": "collection", "score": 1, "color": "", "comment": "cache poisoning", "links": [ { "label": "example", "url": "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1557", "tactic": "credential-access", "score": 1, "color": "", "comment": "cache poisoning", "links": [ { "label": "example", "url": "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1558", "tactic": "credential-access", "score": 1, "color": "", "comment": "Kerberoasting", "links": [ { "label": "example", "url": "https://attack.mitre.org/techniques/T1558/003/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1559", "tactic": "execution", "score": 1, "color": "", "comment": "Open source IPC abuse", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1560", "tactic": "collection", "score": 50, "color": "", "comment": "Archive via Library", "links": [ { "label": "example", "url": "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1561", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1562", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Disable other service that might detect malware", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1563", "tactic": "lateral-movement", "score": 50, "color": "", "comment": "Altered commands from suspicious", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1564", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Tweaked versions of known methods", "links": [ { "label": "example", "url": "https://www.secureworks.com/research/darktortilla-malware-analysis" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1565", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1566", "tactic": "initial-access", "score": 100, "color": "", "comment": "Target-specific email", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1567", "tactic": "exfiltration", "score": 50, "color": "", "comment": "Using different service or account", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1568", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Modifications to known algorithm", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1569", "tactic": "execution", "score": 50, "color": "", "comment": "Calling psexec in a different way", "links": [ { "label": "example", "url": "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1570", "tactic": "lateral-movement", "score": 50, "color": "", "comment": "Altered commands from suspicious", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1571", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Using another random port", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1572", "tactic": "command-and-control", "score": 1, "color": "", "comment": "SSH Tunneling", "links": [ { "label": "example", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1573", "tactic": "command-and-control", "score": 1, "color": "", "comment": "Public algorithm with static key", "links": [ { "label": "example", "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Altered hijacking implementation", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "persistence", "score": 50, "color": "", "comment": "Altered hijacking implementation", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Altered hijacking implementation", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1578", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Known cloud modifications", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1580", "tactic": "discovery", "score": 50, "color": "", "comment": "Custom API queries", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1583", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1584", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1585", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1586", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1587", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1588", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1589", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1590", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1591", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1592", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1593", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1594", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1595", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1596", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1597", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1598", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1599", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Disable boundary filtering entirely", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1600", "tactic": "defense-evasion", "score": 0, "color": "", "comment": "Change VPN appliance settings to null cipher", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1601", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Known method of modification", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1602", "tactic": "collection", "score": 50, "color": "", "comment": "Custom script to enumerate configuration", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1606", "tactic": "credential-access", "score": 1, "color": "", "comment": "Using known broken signing method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1608", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1609", "tactic": "execution", "score": 50, "color": "", "comment": "Changed form of administration command", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1610", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Modified malicious container", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1610", "tactic": "execution", "score": 50, "color": "", "comment": "Modified malicious container", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1611", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Modified breakout method", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/siloscape/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1612", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Known malicious container build", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1613", "tactic": "discovery", "score": 50, "color": "", "comment": "Custom API queries", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1614", "tactic": "discovery", "score": 50, "color": "", "comment": "IP geolocation", "links": [ { "label": "example", "url": "https://www.secureworks.com/research/threat-profiles/gold-prelude" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1615", "tactic": "discovery", "score": 50, "color": "", "comment": "Custom enumeration command", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1619", "tactic": "discovery", "score": 50, "color": "", "comment": "Custom API queries", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1620", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Modified method of loading", "links": [ { "label": "example", "url": "https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1621", "tactic": "credential-access", "score": 50, "color": "", "comment": "Triggering requests for password reset configurations", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1622", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Known function calls like `IsDebuggerPresent()`", "links": [ { "label": "example", "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1622", "tactic": "discovery", "score": 1, "color": "", "comment": "Known function calls like `IsDebuggerPresent()`", "links": [ { "label": "example", "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1647", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Altered malicious plist file", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1648", "tactic": "execution", "score": 1, "color": "", "comment": "Open source commands", "links": [ { "label": "example", "url": "https://github.com/RhinoSecurityLabs/pacu" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1649", "tactic": "credential-access", "score": 50, "color": "", "comment": "Steal certificates with custom tool", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1650", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1651", "tactic": "execution", "score": 50, "color": "", "comment": "Changed form of administration command", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1652", "tactic": "discovery", "score": 50, "color": "", "comment": "Custom enumeration command", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1653", "tactic": "persistence", "score": 100, "color": "", "comment": "Modifying settings in a target-specific manner", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1654", "tactic": "discovery", "score": 50, "color": "", "comment": "Custom query commands", "links": [ { "label": "example", "url": "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1656", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Less common impersonation shared across many targets", "links": [ { "label": "example", "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1657", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1659", "tactic": "command-and-control", "score": 1, "color": "", "comment": "falsify server responses for something like dns", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1659", "tactic": "initial-access", "score": 1, "color": "", "comment": "falsify server responses for something like dns", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1665", "tactic": "command-and-control", "score": 1, "color": "", "comment": "use vpn", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false } ], "gradient": { "colors": [ "#cad4daff", "#3182bdff" ], "minValue": 0, "maxValue": 100 }, "legendItems": [], "metadata": [ { "name": "version", "value": "1.0" }, { "name": "author", "value": "Optimizer LLC" }, { "name": "date", "value": "2024-09-22" } ], "links": [ { "label": "Influence Energy", "url": "https://www.optimizer.llc" }, { "label": "Source Repository", "url": "'https://github.com/BoogleCloud/influence-energy'" } ], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": false, "selectVisibleTechniques": false }