{ "name": "Influence Energy Level 4", "versions": { "attack": "15", "navigator": "5.1.0", "layer": "4.5" }, "domain": "enterprise-attack", "description": "Techniques that require Influence Energy Level 4", "filters": { "platforms": [ "Windows", "Linux", "macOS", "Network", "PRE", "Containers", "Office 365", "SaaS", "Google Workspace", "IaaS", "Azure AD" ] }, "sorting": 3, "layout": { "layout": "side", "aggregateFunction": "average", "showID": false, "showName": true, "showAggregateScores": false, "countUnscored": false, "expandedSubtechniques": "none" }, "hideDisabled": false, "techniques": [ { "techniqueID": "T1001", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Creating a custom obfuscation requires high level of knowledge about the target environment", "links": [ { "label": "example", "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" }, { "label": "example", "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1003", "tactic": "credential-access", "score": 100, "color": "", "comment": "Writing custom code that manipulates APIs to read the data", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1005", "tactic": "collection", "score": 100, "color": "", "comment": "Commands that mimic target backup strategies", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1006", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Custom malware that can access the driver", "links": [ { "label": "example", "url": "https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1007", "tactic": "discovery", "score": 100, "color": "", "comment": "Malware that can call functions directly", "links": [ { "label": "example", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1008", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Company extranet servers", "links": [ { "label": "example", "url": "https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1010", "tactic": "discovery", "score": 100, "color": "", "comment": "Memory access", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1011", "tactic": "exfiltration", "score": 50, "color": "", "comment": "Known protocol with environment-alteration", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1012", "tactic": "discovery", "score": 100, "color": "", "comment": "Directly access registry hives", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1014", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Custom rootkit kernel module", "links": [ { "label": "example", "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1016", "tactic": "discovery", "score": 100, "color": "", "comment": "Look for network configuration stored in environment-specific way", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1018", "tactic": "discovery", "score": 100, "color": "", "comment": "Analyzing environment-specific applications to see what they communicate with", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1020", "tactic": "exfiltration", "score": 100, "color": "", "comment": "Custom search method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1021", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Custom tool for creating remote connections", "links": [ { "label": "example", "url": "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1025", "tactic": "collection", "score": 100, "color": "", "comment": "Commands that mimic target backup strategies", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1027", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Embedding malware in legitimate application", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1029", "tactic": "exfiltration", "score": 100, "color": "", "comment": "Upload based on target environment data usage", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1030", "tactic": "exfiltration", "score": 100, "color": "", "comment": "Upload based on target environment data usage", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1033", "tactic": "discovery", "score": 100, "color": "", "comment": "Custom function calling getlogin() or similar", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1036", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Matching filenames on the compromised system", "links": [ { "label": "example", "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1037", "tactic": "persistence", "score": 100, "color": "", "comment": "Hooking a target-specific application", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1037", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Hooking a target-specific application", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1039", "tactic": "collection", "score": 100, "color": "", "comment": "Commands that mimic target backup strategies", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1040", "tactic": "credential-access", "score": 100, "color": "", "comment": "Close access teams", "links": [ { "label": "example", "url": "https://www.justice.gov/archives/opa/page/file/1098481/dl" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1040", "tactic": "discovery", "score": 100, "color": "", "comment": "Close access teams", "links": [ { "label": "example", "url": "https://www.justice.gov/archives/opa/page/file/1098481/dl" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1041", "tactic": "exfiltration", "score": 100, "color": "", "comment": "Target-specific exfiltration method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1046", "tactic": "discovery", "score": 100, "color": "", "comment": "Custom shell commands to initiate connections", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1047", "tactic": "execution", "score": 100, "color": "", "comment": "Unique way of calling WMI from APIs", "links": [ { "label": "example", "url": "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1048", "tactic": "exfiltration", "score": 100, "color": "", "comment": "Target-specific exfiltration method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1049", "tactic": "discovery", "score": 100, "color": "", "comment": "Perform a novel kernel query to get information", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1052", "tactic": "exfiltration", "score": 50, "color": "", "comment": "Custom file structure on medium", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "execution", "score": 100, "color": "", "comment": "Create a custom container than handles your scheduled task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "persistence", "score": 100, "color": "", "comment": "Create a custom container than handles your scheduled task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Create a custom container than handles your scheduled task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel method of inserting code into a process", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Novel method of inserting code into a process", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1056", "tactic": "collection", "score": 100, "color": "", "comment": "Physical implant on a human interface device", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1056", "tactic": "credential-access", "score": 100, "color": "", "comment": "Physical implant on a human interface device", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1057", "tactic": "discovery", "score": 100, "color": "", "comment": "Perform a novel kernel query to get information", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1059", "tactic": "execution", "score": 100, "color": "", "comment": "Novel scripting interpreter execution method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1068", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Zero day exploits", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1069", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel access method for enumerating groups", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1070", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Restoring kernel table state after exploit", "links": [ { "label": "example", "url": "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1071", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Environment-specific protocol for C2", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1072", "tactic": "execution", "score": 50, "color": "", "comment": "Hijack group policy", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1072", "tactic": "lateral-movement", "score": 50, "color": "", "comment": "Hijack group policy", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1074", "tactic": "collection", "score": 100, "color": "", "comment": "Using environment-specific data stores", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "initial-access", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "persistence", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Phsihing access to actual accounts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1080", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Target-specific method", "links": [ { "label": "example", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1082", "tactic": "discovery", "score": 100, "color": "", "comment": "Profile file attributes (size, hash) on endpoint", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1083", "tactic": "discovery", "score": 100, "color": "", "comment": "Custom filesystem driver", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1087", "tactic": "discovery", "score": 100, "color": "", "comment": "Target-specific account discovery", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1090", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Use public CDNs with custom configuration", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/apt41-us-state-governments" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1091", "tactic": "initial-access", "score": 100, "color": "", "comment": "Zero day removable device exploit", "links": [ { "label": "example", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1091", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Zero day removable device exploit", "links": [ { "label": "example", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1092", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Custom removable media", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1095", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Custom TCP Protocol", "links": [ { "label": "example", "url": "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1098", "tactic": "persistence", "score": 100, "color": "", "comment": "Target-specific changes", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1098", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Target-specific changes", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1102", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Using legitimate chat software like teams or slack to match the target", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1104", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Different communication channels for each stage", "links": [ { "label": "example", "url": "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1105", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Inject javascript onto websites to download payloads", "links": [ { "label": "example", "url": "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1106", "tactic": "execution", "score": 100, "color": "", "comment": "Using advanced API calls to directly achieve objectives and/or blending in with native application", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1110", "tactic": "credential-access", "score": 100, "color": "", "comment": "Massive cracking power", "links": [ { "label": "example", "url": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1111", "tactic": "credential-access", "score": 100, "color": "", "comment": "Custom collection to intercept soft tokens", "links": [ { "label": "example", "url": "https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1112", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Using direct file access to edit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1113", "tactic": "collection", "score": 100, "color": "", "comment": "Custom tool that matches hash of known file", "links": [ { "label": "example", "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1114", "tactic": "collection", "score": 100, "color": "", "comment": "Emotet email collection module", "links": [ { "label": "example", "url": "https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1115", "tactic": "collection", "score": 100, "color": "", "comment": "Scraping memory for clipboard", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1119", "tactic": "collection", "score": 100, "color": "", "comment": "Custom script that looks at target-specific things", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1120", "tactic": "discovery", "score": 100, "color": "", "comment": "Look at software in use and check for hardware drivers", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1123", "tactic": "collection", "score": 100, "color": "", "comment": "Target-specific tools to capture audio", "links": [ { "label": "example", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1124", "tactic": "discovery", "score": 100, "color": "", "comment": "Blend in with remote traffic", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1125", "tactic": "collection", "score": 100, "color": "", "comment": "Modifications to videoconferencing software", "links": [ { "label": "example", "url": "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1127", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Other novel use of developer utilities", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1129", "tactic": "execution", "score": 100, "color": "", "comment": "One-off way of loading a dynamic library", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1132", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Custom encoding sysytem", "links": [ { "label": "example", "url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1133", "tactic": "initial-access", "score": 100, "color": "", "comment": "Log into service from trusted ip address", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1133", "tactic": "persistence", "score": 100, "color": "", "comment": "Log into service from trusted ip address", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1134", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Custom method of manipulating/forging tokens", "links": [ { "label": "example", "url": "https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1134", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Custom method of manipulating/forging tokens", "links": [ { "label": "example", "url": "https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1135", "tactic": "discovery", "score": 100, "color": "", "comment": "Custom tool that queries remote hosts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1136", "tactic": "persistence", "score": 100, "color": "", "comment": "Target-specific account creation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1137", "tactic": "persistence", "score": 100, "color": "", "comment": "Novel office startup subtechnique", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1140", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Custom decryption algorithm", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1176", "tactic": "persistence", "score": 100, "color": "", "comment": "New extension with hidden malicious content", "links": [ { "label": "example", "url": "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1185", "tactic": "collection", "score": 100, "color": "", "comment": "Custom web-injections into traffic from proxy", "links": [ { "label": "example", "url": "https://securelist.com/qakbot-technical-analysis/103931/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1187", "tactic": "credential-access", "score": 100, "color": "", "comment": "Custom resource embedded in a novel way", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1189", "tactic": "initial-access", "score": 100, "color": "", "comment": "Zero day exploit", "links": [ { "label": "example", "url": "http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1190", "tactic": "initial-access", "score": 100, "color": "", "comment": "Zero day exploit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1195", "tactic": "initial-access", "score": 50, "color": "", "comment": "Inserting custom malware into software supply chain", "links": [ { "label": "example", "url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "environment-specific way of interacting with bits", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "persistence", "score": 100, "color": "", "comment": "environment-specific way of interacting with bits", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1199", "tactic": "initial-access", "score": 100, "color": "", "comment": "Acquiring access through company with known good associations", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1200", "tactic": "initial-access", "score": 50, "color": "", "comment": "", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1201", "tactic": "discovery", "score": 100, "color": "", "comment": "Asking someone at the company", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1202", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Other novel indirect execution", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1203", "tactic": "execution", "score": 100, "color": "", "comment": "Zero day exploit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1204", "tactic": "execution", "score": 100, "color": "", "comment": "Putting a file for execution in an org-specific place it will be executed", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Unique Magic byte sequence", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Unique Magic byte sequence", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "persistence", "score": 100, "color": "", "comment": "Unique Magic byte sequence", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1207", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Altering mimikatz", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1210", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Zero day exploit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1211", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Zero day exploit", "links": [ { "label": "example", "url": "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1212", "tactic": "credential-access", "score": 100, "color": "", "comment": "Zero day exploit", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1213", "tactic": "collection", "score": 100, "color": "", "comment": "Custom scraper for a target", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1216", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel way of proxying script execution", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1217", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel malware payload", "links": [ { "label": "example", "url": "https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1218", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel binary to call for proxy execution", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1219", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Custom malware module", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1220", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel way of calling xsl scripts", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1221", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel method of packing templates", "links": [ { "label": "example", "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1222", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel way of modifying permissions", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1480", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Environment specific checks", "links": [ { "label": "example", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1482", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel malware payload", "links": [ { "label": "example", "url": "https://github.com/nettitude/PoshC2_Python" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1484", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Modifying a policy to blend in with environment", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1484", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Modifying a policy to blend in with environment", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1485", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1486", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1489", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1490", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1491", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1495", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1496", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1497", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel Behavior checks or overloading system calls to confuse debuggers", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1497", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel Behavior checks or overloading system calls to confuse debuggers", "links": [ { "label": "example", "url": "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1498", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1499", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1505", "tactic": "persistence", "score": 100, "color": "", "comment": "New components with malicious capabilities", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1518", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel way of inferring software from registry or file system", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1525", "tactic": "persistence", "score": 100, "color": "", "comment": "Target-specific implant method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1526", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel malware payload", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1528", "tactic": "credential-access", "score": 100, "color": "", "comment": "Environment-specific token compromise", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1529", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1530", "tactic": "collection", "score": 100, "color": "", "comment": "Custom scraper for a cloud storage location", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1531", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1534", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Target-specific messages", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1535", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Deploying in a region that specifically avoids this target's monitoring", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1537", "tactic": "exfiltration", "score": 100, "color": "", "comment": "Using cloud account that is trusted by target environment", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1538", "tactic": "discovery", "score": 100, "color": "", "comment": "Log in from existing computer", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1539", "tactic": "credential-access", "score": 100, "color": "", "comment": "Zero day browser exploit", "links": [ { "label": "example", "url": "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1542", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Custom UEFI Firmware", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1542", "tactic": "persistence", "score": 50, "color": "", "comment": "Custom UEFI Firmware", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1543", "tactic": "persistence", "score": 100, "color": "", "comment": "Modify environment-specific service", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1543", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Modify environment-specific service", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1546", "tactic": "persistence", "score": 100, "color": "", "comment": "Novel method of event triggering", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1546", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Novel method of event triggering", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1547", "tactic": "persistence", "score": 100, "color": "", "comment": "Novel method of auto start task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1547", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Novel method of auto start task", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1548", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel elevation mechanism", "links": [ { "label": "example", "url": "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1548", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Novel elevation mechanism", "links": [ { "label": "example", "url": "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1550", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Forged SAML token", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1550", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Forged SAML token", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1552", "tactic": "credential-access", "score": 100, "color": "", "comment": "Custom API queries", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1553", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Using signature known to be trusted by application white listing", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1554", "tactic": "persistence", "score": 100, "color": "", "comment": "Target-specific binary modifications", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1555", "tactic": "credential-access", "score": 100, "color": "", "comment": "Searching custom password stores", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "credential-access", "score": 100, "color": "", "comment": "novel method of hooking authentication", "links": [ { "label": "example", "url": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "novel method of hooking authentication", "links": [ { "label": "example", "url": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "persistence", "score": 100, "color": "", "comment": "novel method of hooking authentication", "links": [ { "label": "example", "url": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1557", "tactic": "collection", "score": 100, "color": "", "comment": "Custom resources embedded in the network", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1557", "tactic": "credential-access", "score": 100, "color": "", "comment": "Custom resources embedded in the network", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1558", "tactic": "credential-access", "score": 100, "color": "", "comment": "Kerberos zero day weakness", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1559", "tactic": "execution", "score": 100, "color": "", "comment": "Novel form of IPC", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1560", "tactic": "collection", "score": 100, "color": "", "comment": "Archive via custom method", "links": [ { "label": "example", "url": "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1561", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1562", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Modify system in a target-specific method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1563", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Target-specific enumeration of sessions", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1564", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel method of hiding", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1565", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1566", "tactic": "initial-access", "score": 100, "color": "", "comment": "Target-specific email", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1567", "tactic": "exfiltration", "score": 100, "color": "", "comment": "Using target-specific service or account", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1568", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Custom own DGA algorithm", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1569", "tactic": "execution", "score": 100, "color": "", "comment": "Modify custom, pre-existing service", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1570", "tactic": "lateral-movement", "score": 100, "color": "", "comment": "Target-specific transfer commands", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1571", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Using a port that is specific to application present on system", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1572", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Tunnel through another protocol in a novel way", "links": [ { "label": "example", "url": "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1573", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Custom algorithm", "links": [ { "label": "example", "url": "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Bespoke OS hijacking", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "persistence", "score": 100, "color": "", "comment": "Bespoke OS hijacking", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Bespoke OS hijacking", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1578", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "environment-specific additions or modifications", "links": [ { "label": "example", "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1580", "tactic": "discovery", "score": 100, "color": "", "comment": "Searching target information repositories", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1583", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1584", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1585", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1586", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1587", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1588", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1589", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1590", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1591", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1592", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1593", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1594", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1595", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1596", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1597", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1598", "tactic": "reconnaissance", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1599", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Allow specific traffic that matches target environment", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1600", "tactic": "defense-evasion", "score": 50, "color": "", "comment": "Change appliance settings to use weaker key", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Altered" } ], "showSubtechniques": false }, { "techniqueID": "T1601", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel, os-specific modifications", "links": [ { "label": "example", "url": "https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1602", "tactic": "collection", "score": 100, "color": "", "comment": "Custom probes", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1606", "tactic": "credential-access", "score": 100, "color": "", "comment": "Zero day method of forging credentials", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1608", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1609", "tactic": "execution", "score": 100, "color": "", "comment": "Novel way of calling the command", "links": [ { "label": "example", "url": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1610", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel malicious container", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1610", "tactic": "execution", "score": 100, "color": "", "comment": "Novel malicious container", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1611", "tactic": "privilege-escalation", "score": 100, "color": "", "comment": "Novel breakout method", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1612", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Environment-specific malicous build", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1613", "tactic": "discovery", "score": 100, "color": "", "comment": "Searching target information repositories", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1614", "tactic": "discovery", "score": 100, "color": "", "comment": "Compromise the devices location service without notification", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1615", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel malware payload", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1619", "tactic": "discovery", "score": 100, "color": "", "comment": "Searching target information repositories", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1620", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Bespoke method of injection", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1621", "tactic": "credential-access", "score": 100, "color": "", "comment": "Triggering requests in custom application", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1622", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Novel timing or memory checks", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1622", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel timing or memory checks", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1647", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Custom malicious plist file", "links": [ { "label": "example", "url": "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1648", "tactic": "execution", "score": 100, "color": "", "comment": "Novel or environment-specific config", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1649", "tactic": "credential-access", "score": 100, "color": "", "comment": "Forge certificates in a specific environment", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1650", "tactic": "resource-development", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1651", "tactic": "execution", "score": 100, "color": "", "comment": "Malicious command that blends in with the environment", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1652", "tactic": "discovery", "score": 100, "color": "", "comment": "Novel malware payload", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1653", "tactic": "persistence", "score": 100, "color": "", "comment": "Modifying settings in a target-specific manner", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1654", "tactic": "discovery", "score": 100, "color": "", "comment": "parsing of environment-specific logs", "links": [ { "label": "example", "url": "https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1656", "tactic": "defense-evasion", "score": 100, "color": "", "comment": "Target-specific trusted party impersonation", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1657", "tactic": "impact", "score": 0, "color": "", "comment": "", "links": [], "enabled": false, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1659", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Modify responses of target-specific data", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1659", "tactic": "initial-access", "score": 100, "color": "", "comment": "Modify responses of target-specific data", "links": [], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false }, { "techniqueID": "T1665", "tactic": "command-and-control", "score": 100, "color": "", "comment": "Match c2 to target infrastructure", "links": [ { "label": "example", "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" } ], "enabled": true, "metadata": [ { "name": "capability_level", "value": "Bespoke" } ], "showSubtechniques": false } ], "gradient": { "colors": [ "#cad4daff", "#3182bdff" ], "minValue": 0, "maxValue": 100 }, "legendItems": [], "metadata": [ { "name": "version", "value": "1.0" }, { "name": "author", "value": "Optimizer LLC" }, { "name": "date", "value": "2024-09-22" } ], "links": [ { "label": "Influence Energy", "url": "https://www.optimizer.llc" }, { "label": "Source Repository", "url": "'https://github.com/BoogleCloud/influence-energy'" } ], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": false, "selectVisibleTechniques": false }