{ "name": "Influence Energy Level 3", "versions": { "attack": "15", "navigator": "5.1.0", "layer": "4.5" }, "domain": "enterprise-attack", "description": "Techniques that require Influence Energy Level 3", "filters": { "platforms": [ "Windows", "Linux", "macOS", "Network", "PRE", "Containers", "Office 365", "SaaS", "Google Workspace", "IaaS", "Azure AD" ] }, "sorting": 3, "layout": { "layout": "side", "aggregateFunction": "average", "showID": false, "showName": true, "showAggregateScores": false, "countUnscored": false, "expandedSubtechniques": "none" }, "hideDisabled": false, "techniques": [ { "techniqueID": "T1001", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Modifying a public data obfuscation method would require knowledge of the underlying protocol and implementation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1003", "tactic": "credential-access", "score": 100, "color": "", "comment": "Writing custom code that manipulates APIs to read the data", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1005", "tactic": "collection", "score": 100, "color": "", "comment": "Commands that mimic target backup strategies", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1006", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Custom malware that can access the driver", "links": [ { "label": "example", "url": "https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1007", "tactic": "discovery", "score": 100, "color": "", "comment": "Malware that can call functions directly", "links": [ { "label": "example", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1008", "tactic": "command-and-control", "score": 50, "color": "", "comment": "DNS Tunneling with your own domain", "links": [ { "label": "example", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1010", "tactic": "discovery", "score": 100, "color": "", "comment": "Memory access", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1011", "tactic": "exfiltration", "score": 1, "color": "", "comment": "Known protocol like wifi network", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1012", "tactic": "discovery", "score": 100, "color": "", "comment": "Directly access registry hives", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1014", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Custom malicious driver", "links": [ { "label": "example", "url": "https://www.theregister.com/2020/08/07/def_con_demirkapi/" }, { "label": "example", "url": "https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-and-where-to-find-them-part-1" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1016", "tactic": "discovery", "score": 100, "color": "", "comment": "Look for network configuration stored in environment-specific way", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1018", "tactic": "discovery", "score": 100, "color": "", "comment": "Analyzing environment-specific applications to see what they communicate with", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1020", "tactic": "exfiltration", "score": 100, "color": "", "comment": "Custom search method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1021", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Custom tool for creating remote connections", "links": [ { "label": "example", "url": "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1025", "tactic": "collection", "score": 100, "color": "", "comment": "Commands that mimic target backup strategies", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1027", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Embedding malware in legitimate application", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1029", "tactic": "exfiltration", "score": 50, "color": "", "comment": "Randomizing upload or setting work hours", "links": [ { "label": "example", "url": "https://web-assets.esetstatic.com/wls/2020/05/ESET_Turla_ComRAT.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1030", "tactic": "exfiltration", "score": 50, "color": "", "comment": "Setting specific limit based on c2 traffic profile", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1033", "tactic": "discovery", "score": 100, "color": "", "comment": "Custom function calling getlogin() or similar", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1036", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Matching filenames on the compromised system", "links": [ { "label": "example", "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1037", "tactic": "persistence", "score": 100, "color": "", "comment": "Hooking a target-specific application", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1037", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Hooking a target-specific application", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1039", "tactic": "collection", "score": 100, "color": "", "comment": "Commands that mimic target backup strategies", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1040", "tactic": "credential-access", "score": 50, "color": "", "comment": "Hook network APIs", "links": [ { "label": "example", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1040", "tactic": "discovery", "score": 50, "color": "", "comment": "Hook network APIs", "links": [ { "label": "example", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1041", "tactic": "exfiltration", "score": 50, "color": "", "comment": "Modified method transfer", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1046", "tactic": "discovery", "score": 100, "color": "", "comment": "Custom shell commands to initiate connections", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1047", "tactic": "execution", "score": 100, "color": "", "comment": "Unique way of calling WMI from APIs", "links": [ { "label": "example", "url": "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1048", "tactic": "exfiltration", "score": 50, "color": "", "comment": "Modified method transfer", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1049", "tactic": "discovery", "score": 100, "color": "", "comment": "Perform a novel kernel query to get information", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1052", "tactic": "exfiltration", "score": 1, "color": "", "comment": "well-known file structure on medium", "links": [ { "label": "example", "url": "https://securelist.com/agent-btz-a-source-of-inspiration/58551/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "execution", "score": 100, "color": "", "comment": "Create a custom container than handles your scheduled task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "persistence", "score": 100, "color": "", "comment": "Create a custom container than handles your scheduled task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Create a custom container than handles your scheduled task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel method of inserting code into a process", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Novel method of inserting code into a process", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1056", "tactic": "collection", "score": 50, "color": "", "comment": "API Hooking", "links": [ { "label": "example", "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1056", "tactic": "credential-access", "score": 50, "color": "", "comment": "API Hooking", "links": [ { "label": "example", "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1057", "tactic": "discovery", "score": 100, "color": "", "comment": "Perform a novel kernel query to get information", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1059", "tactic": "execution", "score": 100, "color": "", "comment": "Novel scripting interpreter execution method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1068", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Altered exploits", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1069", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel access method for enumerating groups", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1070", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Restoring kernel table state after exploit", "links": [ { "label": "example", "url": "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1071", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Environment-specific protocol for C2", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1072", "tactic": "execution", "score": 1, "color": "", "comment": "Something like remoteexec", "links": [ { "label": "example", "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1072", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "Something like remoteexec", "links": [ { "label": "example", "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1074", "tactic": "collection", "score": 100, "color": "", "comment": "Using environment-specific data stores", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "initial-access", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "persistence", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1080", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Target-specific method", "links": [ { "label": "example", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1082", "tactic": "discovery", "score": 100, "color": "", "comment": "Profile file attributes (size, hash) on endpoint", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1083", "tactic": "discovery", "score": 100, "color": "", "comment": "Custom filesystem driver", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1087", "tactic": "discovery", "score": 100, "color": "", "comment": "Target-specific account discovery", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1090", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Turn victim systems into proxies", "links": [ { "label": "example", "url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1091", "tactic": "initial-access", "score": 50, "color": "", "comment": "Modified auto run", "links": [ { "label": "example", "url": "https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1091", "tactic": "lateral-movement", "score": 50, "color": "", "comment": "Modified auto run", "links": [ { "label": "example", "url": "https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1092", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Group-specific removeable media module", "links": [ { "label": "example", "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1095", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Custom TCP Protocol", "links": [ { "label": "example", "url": "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1098", "tactic": "persistence", "score": 100, "color": "", "comment": "Target-specific changes", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1098", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Target-specific changes", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1102", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Custom AWS resources", "links": [ { "label": "example", "url": "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1104", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Different communication channels for each stage", "links": [ { "label": "example", "url": "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1105", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Inject javascript onto websites to download payloads", "links": [ { "label": "example", "url": "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1106", "tactic": "execution", "score": 50, "color": "", "comment": "Using API calls in a custom way", "links": [ { "label": "example", "url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1110", "tactic": "credential-access", "score": 100, "color": "", "comment": "Massive cracking power", "links": [ { "label": "example", "url": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1111", "tactic": "credential-access", "score": 50, "color": "", "comment": "Register alternate phone numbers for compromised users", "links": [ { "label": "example", "url": "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1112", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Using direct file access to edit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1113", "tactic": "collection", "score": 50, "color": "", "comment": "Plugin to capture screenshots", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1114", "tactic": "collection", "score": 100, "color": "", "comment": "Emotet email collection module", "links": [ { "label": "example", "url": "https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1115", "tactic": "collection", "score": 100, "color": "", "comment": "Scraping memory for clipboard", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1119", "tactic": "collection", "score": 100, "color": "", "comment": "Custom script that looks at target-specific things", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1120", "tactic": "discovery", "score": 100, "color": "", "comment": "Look at software in use and check for hardware drivers", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1123", "tactic": "collection", "score": 100, "color": "", "comment": "Target-specific tools to capture audio", "links": [ { "label": "example", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1124", "tactic": "discovery", "score": 100, "color": "", "comment": "Blend in with remote traffic", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1125", "tactic": "collection", "score": 50, "color": "", "comment": "Custom module", "links": [ { "label": "example", "url": "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1127", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Custom MSBuild command", "links": [ { "label": "example", "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1129", "tactic": "execution", "score": 50, "color": "", "comment": "Custom way of loading a dynamic library", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1132", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Custom encoding sysytem", "links": [ { "label": "example", "url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1133", "tactic": "initial-access", "score": 100, "color": "", "comment": "Log into service from trusted ip address", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1133", "tactic": "persistence", "score": 100, "color": "", "comment": "Log into service from trusted ip address", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1134", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Custom method of manipulating/forging tokens", "links": [ { "label": "example", "url": "https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1134", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Custom method of manipulating/forging tokens", "links": [ { "label": "example", "url": "https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1135", "tactic": "discovery", "score": 100, "color": "", "comment": "Custom tool that queries remote hosts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1136", "tactic": "persistence", "score": 100, "color": "", "comment": "Target-specific account creation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1137", "tactic": "persistence", "score": 100, "color": "", "comment": "Novel office startup subtechnique", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1140", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Custom decryption algorithm", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1176", "tactic": "persistence", "score": 100, "color": "", "comment": "New extension with hidden malicious content", "links": [ { "label": "example", "url": "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1185", "tactic": "collection", "score": 50, "color": "", "comment": "Custom browser modules to steal data", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1187", "tactic": "credential-access", "score": 50, "color": "", "comment": "LNK file icon with remote resource", "links": [ { "label": "example", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1189", "tactic": "initial-access", "score": 50, "color": "", "comment": "Using altered client-side exploit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1190", "tactic": "initial-access", "score": 100, "color": "", "comment": "Zero day exploit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1195", "tactic": "initial-access", "score": 1, "color": "", "comment": "Inserting known malware into a software supply chain", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "environment-specific way of interacting with bits", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "persistence", "score": 100, "color": "", "comment": "environment-specific way of interacting with bits", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1199", "tactic": "initial-access", "score": 50, "color": "", "comment": "Acquiring access through company with no known bad associations", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1200", "tactic": "initial-access", "score": 1, "color": "", "comment": "Known hacker hardware like rubber ducky", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1201", "tactic": "discovery", "score": 100, "color": "", "comment": "Asking someone at the company", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1202", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Other novel indirect execution", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1203", "tactic": "execution", "score": 50, "color": "", "comment": "altered form of known exploit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1204", "tactic": "execution", "score": 100, "color": "", "comment": "Putting a file for execution in an org-specific place it will be executed", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Reverse shell triggered by specific packets", "links": [ { "label": "example", "url": "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Reverse shell triggered by specific packets", "links": [ { "label": "example", "url": "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "persistence", "score": 50, "color": "", "comment": "Reverse shell triggered by specific packets", "links": [ { "label": "example", "url": "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1207", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Mimikatz LSADUMP::DCShadow", "links": [ { "label": "example", "url": "https://github.com/gentilkiwi/mimikatz" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1210", "tactic": "lateral-movement", "score": 50, "color": "", "comment": "Adaptations of known exploits", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1211", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "altered form of public code", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1212", "tactic": "credential-access", "score": 50, "color": "", "comment": "Known exploit that requires some target knowledge", "links": [ { "label": "example", "url": "https://www.bugcrowd.com/glossary/replay-attack/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1213", "tactic": "collection", "score": 100, "color": "", "comment": "Custom scraper for a target", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1216", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Changing how the lolbin is called", "links": [ { "label": "example", "url": "https://twitter.com/ItsReallyNick/status/944321013084573697" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1217", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel malware payload", "links": [ { "label": "example", "url": "https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1218", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Different way of calling binary", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1219", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Custom malware module", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1220", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Different way of calling msxsl.exe", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1221", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "RTF injection", "links": [ { "label": "example", "url": "https://www.uptycs.com/blog/threat-research-report-team/confucius-apt-deploys-warzone-rat" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1222", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel way of modifying permissions", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1480", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Per target alterations of payloads", "links": [ { "label": "example", "url": "https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1482", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel malware payload", "links": [ { "label": "example", "url": "https://github.com/nettitude/PoshC2_Python" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1484", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Changing settings for new trust or DC", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1484", "tactic": "privilege-escalation", "score": 50, "color": "", "comment": "Changing settings for new trust or DC", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1485", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1486", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1489", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1490", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1491", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1495", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1496", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1497", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Check for user activity like mouse movements", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1497", "tactic": "discovery", "score": 50, "color": "", "comment": "Check for user activity like mouse movements", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1498", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1499", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1505", "tactic": "persistence", "score": 100, "color": "", "comment": "New components with malicious capabilities", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1518", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel way of inferring software from registry or file system", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1525", "tactic": "persistence", "score": 50, "color": "", "comment": "modified implant method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1526", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel malware payload", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1528", "tactic": "credential-access", "score": 50, "color": "", "comment": "Register custom OAuth application", "links": [ { "label": "example", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1529", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1530", "tactic": "collection", "score": 100, "color": "", "comment": "Custom scraper for a cloud storage location", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1531", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1534", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Target-specific messages", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1535", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Deploying resources in a region with lower logging thresholds", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1537", "tactic": "exfiltration", "score": 100, "color": "", "comment": "Using cloud account that is trusted by target environment", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1538", "tactic": "discovery", "score": 100, "color": "", "comment": "Log in from existing computer", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1539", "tactic": "credential-access", "score": 50, "color": "", "comment": "Steal cookies from disk", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1542", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "MBR bootkit", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1542", "tactic": "persistence", "score": 1, "color": "", "comment": "MBR bootkit", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1543", "tactic": "persistence", "score": 100, "color": "", "comment": "Modify environment-specific service", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1543", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Modify environment-specific service", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1546", "tactic": "persistence", "score": 100, "color": "", "comment": "Novel method of event triggering", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1546", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Novel method of event triggering", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1547", "tactic": "persistence", "score": 100, "color": "", "comment": "Novel method of auto start task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1547", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Novel method of auto start task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1548", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel elevation mechanism", "links": [ { "label": "example", "url": "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1548", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Novel elevation mechanism", "links": [ { "label": "example", "url": "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1550", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "pass the ticket", "links": [ { "label": "example", "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1550", "tactic": "lateral-movement", "score": 50, "color": "", "comment": "pass the ticket", "links": [ { "label": "example", "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1552", "tactic": "credential-access", "score": 100, "color": "", "comment": "Custom API queries", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1553", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Installing root certificate that you control", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1554", "tactic": "persistence", "score": 50, "color": "", "comment": "Altered trojan template", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1555", "tactic": "credential-access", "score": 100, "color": "", "comment": "Searching custom password stores", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "credential-access", "score": 50, "color": "", "comment": "trojanized function in different way", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "trojanized function in different way", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "persistence", "score": 50, "color": "", "comment": "trojanized function in different way", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1557", "tactic": "collection", "score": 50, "color": "", "comment": "actively altering network / proxy infrastrcuture", "links": [ { "label": "example", "url": "https://objective-see.org/blog/blog_0x25.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1557", "tactic": "credential-access", "score": 50, "color": "", "comment": "actively altering network / proxy infrastrcuture", "links": [ { "label": "example", "url": "https://objective-see.org/blog/blog_0x25.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1558", "tactic": "credential-access", "score": 50, "color": "", "comment": "Golden ticket", "links": [ { "label": "example", "url": "https://attack.mitre.org/techniques/T1558/001/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1559", "tactic": "execution", "score": 50, "color": "", "comment": "Altered form of IPC", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1560", "tactic": "collection", "score": 100, "color": "", "comment": "Archive via custom method", "links": [ { "label": "example", "url": "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1561", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1562", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Modify system in a target-specific method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1563", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Target-specific enumeration of sessions", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1564", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel method of hiding", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1565", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1566", "tactic": "initial-access", "score": 100, "color": "", "comment": "Target-specific email", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1567", "tactic": "exfiltration", "score": 100, "color": "", "comment": "Using target-specific service or account", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1568", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Custom own DGA algorithm", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1569", "tactic": "execution", "score": 100, "color": "", "comment": "Modify custom, pre-existing service", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1570", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Target-specific transfer commands", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1571", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Using a port that is specific to application present on system", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1572", "tactic": "command-and-control", "score": 50, "color": "", "comment": "DNS Tunneling", "links": [ { "label": "example", "url": "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1573", "tactic": "command-and-control", "score": 50, "color": "", "comment": "Secure implementation of public algorithm", "links": [ { "label": "example", "url": "https://research.checkpoint.com/2020/bandook-signed-delivered/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Bespoke OS hijacking", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "persistence", "score": 100, "color": "", "comment": "Bespoke OS hijacking", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Bespoke OS hijacking", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1578", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Different cloud modifications", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1580", "tactic": "discovery", "score": 100, "color": "", "comment": "Searching target information repositories", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1583", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1584", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1585", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1586", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1587", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1588", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1589", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1590", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1591", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1592", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1593", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1594", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1595", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1596", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1597", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1598", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1599", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Add specific infrastructure to allowlist", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1600", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Change VPN appliance settings to null cipher", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Public" } ], "showSubtechniques": false }, { "techniqueID": "T1601", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Different for of the known modification", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1602", "tactic": "collection", "score": 100, "color": "", "comment": "Custom probes", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1606", "tactic": "credential-access", "score": 50, "color": "", "comment": "Using something stolen from the target (secret) to forge tokens", "links": [ { "label": "example", "url": "https://aadinternals.com/aadinternals/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1608", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1609", "tactic": "execution", "score": 100, "color": "", "comment": "Novel way of calling the command", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1610", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel malicious container", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1610", "tactic": "execution", "score": 100, "color": "", "comment": "Novel malicious container", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1611", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Novel breakout method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1612", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Modified malicious container build process", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1613", "tactic": "discovery", "score": 100, "color": "", "comment": "Searching target information repositories", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1614", "tactic": "discovery", "score": 100, "color": "", "comment": "Compromise the devices location service without notification", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1615", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel malware payload", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1619", "tactic": "discovery", "score": 100, "color": "", "comment": "Searching target information repositories", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1620", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Bespoke method of injection", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1621", "tactic": "credential-access", "score": 100, "color": "", "comment": "Triggering requests in custom application", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1622", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Other function calls that indicate debugger is present", "links": [ { "label": "example", "url": "https://www.secureworks.com/research/darktortilla-malware-analysis" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1622", "tactic": "discovery", "score": 50, "color": "", "comment": "Other function calls that indicate debugger is present", "links": [ { "label": "example", "url": "https://www.secureworks.com/research/darktortilla-malware-analysis" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1647", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Custom malicious plist file", "links": [ { "label": "example", "url": "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1648", "tactic": "execution", "score": 50, "color": "", "comment": "Modified commands", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1649", "tactic": "credential-access", "score": 100, "color": "", "comment": "Forge certificates in a specific environment", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1650", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1651", "tactic": "execution", "score": 100, "color": "", "comment": "Malicious command that blends in with the environment", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1652", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel malware payload", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1653", "tactic": "persistence", "score": 100, "color": "", "comment": "Modifying settings in a target-specific manner", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1654", "tactic": "discovery", "score": 100, "color": "", "comment": "parsing of environment-specific logs", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1656", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Target-specific trusted party impersonation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1657", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1659", "tactic": "command-and-control", "score": 50, "color": "", "comment": "modify server responses to inject additional data", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1659", "tactic": "initial-access", "score": 50, "color": "", "comment": "modify server responses to inject additional data", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1665", "tactic": "command-and-control", "score": 50, "color": "", "comment": "use vpn with specific geolocation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false } ], "gradient": { "colors": [ "#cad4daff", "#3182bdff" ], "minValue": 0, "maxValue": 100 }, "legendItems": [], "metadata": [ { "name": "version", "value": "1.0" }, { "name": "author", "value": "Optimizer LLC" }, { "name": "date", "value": "2024-09-22" } ], "links": [ { "label": "Influence Energy", "url": "https://www.optimizer.llc" }, { "label": "Source Repository", "url": "'https://github.com/BoogleCloud/influence-energy'" } ], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": false, "selectVisibleTechniques": false }