{"type": "bundle", "id": "bundle--1f126d0c-356c-43af-88f8-7a3b695dee83", "objects": [{"tactic_refs": ["x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", "x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400", "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92", "x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd", "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc", "type": "x-mitre-matrix", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "enterprise-attack", "source_name": "mitre-attack", "url": "https://attack.mitre.org/matrices/enterprise"}], "modified": "2022-04-01T20:43:55.937Z", "name": "Enterprise ATT&CK", "description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1174", "external_id": "T1174"}, {"url": "https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx", "description": "Microsoft. (n.d.). Installing and Registering a Password Filter DLL. Retrieved November 21, 2017.", "source_name": "Microsoft Install Password Filter n.d"}], "modified": "2019-07-25T11:22:19.139Z", "name": "Password Filter DLL Mitigation", "description": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\\Windows\\System32\\
by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages
. (Citation: Microsoft Install Password Filter n.d)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--02f0f92a-0a51-4c94-9bda-6437b9a93f22", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1151", "external_id": "T1151"}], "modified": "2019-07-25T11:46:32.010Z", "name": "Space after Filename Mitigation", "description": "Prevent files from having a trailing space after the extension.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--03c0c586-50ed-45a7-95f4-f496d7eb5330", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1148", "external_id": "T1148"}, {"url": "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory", "description": "Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.", "source_name": "Securing bash history"}], "modified": "2019-07-24T19:34:34.065Z", "name": "HISTCONTROL Mitigation", "description": "Prevent users from changing the HISTCONTROL
environment variable (Citation: Securing bash history). Also, make sure that the HISTCONTROL
environment variable is set to \u201cignoredup\u201d instead of \u201cignoreboth\u201d or \u201cignorespace\u201d.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--0472af99-f25c-4abe-9fce-010fa3450e72", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1081", "external_id": "T1081"}, {"source_name": "Microsoft MS14-025", "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.", "url": "http://support.microsoft.com/kb/2962486"}], "modified": "2019-07-24T18:12:19.081Z", "name": "Credentials in Files Mitigation", "description": "Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences. (Citation: Microsoft MS14-025)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--06160d81-62be-46e5-aa37-4b9c645ffa31", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1212", "external_id": "T1212"}, {"url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", "source_name": "Ars Technica Pwn2Own 2017 VM Escape"}, {"url": "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "description": "Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.", "source_name": "TechNet Moving Beyond EMET"}, {"url": "https://en.wikipedia.org/wiki/Control-flow_integrity", "description": "Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.", "source_name": "Wikipedia Control Flow Integrity"}], "modified": "2019-07-24T19:23:33.259Z", "name": "Exploitation for Credential Access Mitigation", "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--0640214c-95af-4c04-a574-2a1ba6dda00b", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1012", "url": "https://attack.mitre.org/mitigations/T1012", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:24.641Z", "name": "Query Registry Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--06824aa2-94a5-474c-97f6-57c2e983d885", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1162", "external_id": "T1162"}, {"url": "https://support.apple.com/en-us/HT204005", "description": "Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017.", "source_name": "Re-Open windows on Mac"}], "modified": "2019-07-24T19:49:43.716Z", "name": "Login Item Mitigation", "description": "Restrict users from being able to create their own login items. Additionally, holding the shift key during login prevents apps from opening automatically (Citation: Re-Open windows on Mac).", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--073cc04d-ac46-4f5a-85d7-83a91ecd6a19", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1166", "external_id": "T1166"}], "modified": "2019-07-25T11:43:19.870Z", "name": "Setuid and Setgid Mitigation", "description": "Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--08e02f67-ea09-4f77-a70b-414963c29fc2", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1223", "external_id": "T1223"}, {"url": "https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913", "description": "Kiwi. (2016, April 6). Breakout Recap: Cybersecurity Best Practices Part 1 - Preventing Opportunistic Attacks. Retrieved October 3, 2018.", "source_name": "PaloAlto Preventing Opportunistic Attacks Apr 2016"}], "modified": "2019-07-24T14:19:23.148Z", "name": "Compiled HTML File Mitigation", "description": "Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files. (Citation: PaloAlto Preventing Opportunistic Attacks Apr 2016) Also consider using application whitelisting to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--0b3ee33e-430b-476f-9525-72d120c90f8d", "type": "course-of-action", "created": "2019-03-14T20:17:16.234Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"url": "https://attack.mitre.org/mitigations/T1488", "source_name": "mitre-attack", "external_id": "T1488"}, {"description": "Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.", "url": "https://www.ready.gov/business/implementation/IT", "source_name": "Ready.gov IT DRP"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:22.102Z", "name": "Data Destruction Mitigation", "description": "Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--0bc3ce00-83bc-4a92-a042-79ffbc6af259", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1084", "external_id": "T1084"}, {"source_name": "FireEye WMI 2015", "description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf"}], "modified": "2019-07-25T12:35:09.565Z", "name": "Windows Management Instrumentation Event Subscription Mitigation", "description": "Disabling WMI services may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts. (Citation: FireEye WMI 2015)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--1022138b-497c-40e6-b53a-13351cbd4090", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1044", "url": "https://attack.mitre.org/mitigations/T1044", "source_name": "mitre-attack"}, {"url": "https://github.com/mattifestation/PowerSploit", "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", "source_name": "Powersploit"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"url": "http://seclists.org/fulldisclosure/2015/Dec/34", "description": "Kanthak, S. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe\tallows remote code execution with escalation of privilege. Retrieved March 10, 2017.", "source_name": "Seclists Kanthak 7zip Installer"}], "modified": "2021-08-23T20:25:21.486Z", "name": "File System Permissions Weakness Mitigation", "description": "Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses. (Citation: Powersploit)\n\nIdentify and block potentially malicious software that may be executed through abuse of file, directory, and service permissions by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs. Deny execution from user directories such as file download directories and temp directories where able. (Citation: Seclists Kanthak 7zip Installer)\n\nTurn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System]
to automatically deny elevation requests, add: \"ConsentPromptBehaviorUser\"=dword:00000000
(Citation: Seclists Kanthak 7zip Installer). Consider enabling installer detection for all users by adding: \"EnableInstallerDetection\"=dword:00000001
. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: \"EnableInstallerDetection\"=dword:00000000
. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--10571bf2-8073-4edf-a71c-23bad225532e", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1103", "url": "https://attack.mitre.org/mitigations/T1103", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}], "modified": "2020-01-17T16:45:23.250Z", "name": "AppInit DLLs Mitigation", "description": "Upgrade to Windows 8 or later and enable secure boot.\n\nIdentify and block potentially malicious software that may be executed through AppInit DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--121b2863-5b97-4538-acb3-f8aae070ec13", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1159", "external_id": "T1159"}], "modified": "2019-07-24T19:47:59.038Z", "name": "Launch Agent Mitigation", "description": "Restrict user's abilities to create Launch Agents with group policy.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", "type": "course-of-action", "created": "2019-06-10T20:46:02.263Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1031", "url": "https://attack.mitre.org/mitigations/M1031"}], "modified": "2019-06-10T20:46:02.263Z", "name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--12c13879-b7bd-4bc5-8def-aacec386d432", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1117", "external_id": "T1117"}, {"url": "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET", "description": "National Security Agency. (2016, May 4). Secure Host Baseline EMET. Retrieved June 22, 2016.", "source_name": "Secure Host Baseline EMET"}], "modified": "2019-07-25T11:32:22.755Z", "name": "Regsvr32 Mitigation", "description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting. (Citation: Secure Host Baseline EMET)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--12cba7de-0a22-4a56-b51e-c514c67c3b43", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1147", "external_id": "T1147"}], "modified": "2019-07-24T19:36:24.202Z", "name": "Hidden Users Mitigation", "description": "If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow
Hide500Users
value will force all users to be visible.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--13cad982-35e3-4340-9095-7124b653df4b", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1213", "external_id": "T1213"}], "modified": "2019-07-24T19:06:19.932Z", "name": "Data from Information Repositories Mitigation", "description": "To mitigate adversary access to information repositories for collection:\n\n* Develop and publish policies that define acceptable information to be stored\n* Appropriate implementation of access control mechanisms that include both authentication and appropriate authorization\n* Enforce the principle of least-privilege\n* Periodic privilege review of accounts\n* Mitigate access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) that may be used to access repositories", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--14b63e6b-7531-4476-9e60-02cc5db48b62", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1210", "external_id": "T1210"}, {"source_name": "Ars Technica Pwn2Own 2017 VM Escape", "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"}, {"source_name": "TechNet Moving Beyond EMET", "description": "Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.", "url": "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/"}, {"source_name": "Wikipedia Control Flow Integrity", "description": "Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.", "url": "https://en.wikipedia.org/wiki/Control-flow_integrity"}], "modified": "2019-07-24T19:26:53.547Z", "name": "Exploitation of Remote Services Mitigation", "description": "Segment networks and systems appropriately to reduce access to critical systems and services to controlled methods. Minimize available services to only those that are necessary. Regularly scan the internal network for available services to identify new and potentially vulnerable services. Minimize permissions and access for service accounts to limit impact of exploitation.\n\nUpdate software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--15437c6d-b998-4a36-be41-4ace3d54d266", "type": "course-of-action", "created": "2019-06-06T16:47:30.700Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1016", "url": "https://attack.mitre.org/mitigations/M1016"}], "modified": "2020-07-14T22:22:06.356Z", "name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--159b4ee4-8fa1-44a5-b095-2973f3c7e25e", "type": "course-of-action", "created": "2019-02-15T13:04:25.150Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1482", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1482"}, {"source_name": "Harmj0y Domain Trusts", "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019."}], "modified": "2020-09-17T18:26:17.815Z", "name": "Domain Trust Discovery Mitigation", "description": "Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--160af6af-e733-4b6a-a04a-71c620ac0930", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1072", "external_id": "T1072"}], "modified": "2019-07-25T12:27:40.782Z", "name": "Third-party Software Mitigation", "description": "Evaluate the security of third-party software that could be used in the enterprise environment. Ensure that access to management systems for third-party systems is limited, monitored, and secure. Have a strict approval policy for use of third-party systems.\n\nGrant access to Third-party systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication. Verify that account credentials that may be used to access third-party systems are unique and not used throughout the enterprise network. Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure third-party systems are regularly patched by users or the provider to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nEnsure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required.\n\nWhere the third-party system is used for deployment services, ensure that it can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the third-party system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--16a8ac85-a06f-460f-ad22-910167bd7332", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1009", "url": "https://attack.mitre.org/mitigations/T1009", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:18.699Z", "name": "Binary Padding Mitigation", "description": "Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1123", "url": "https://attack.mitre.org/mitigations/T1123", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.317Z", "name": "Audio Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to record audio by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--16f144e4-c780-4ed2-98b4-55d14e2dfa44", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"url": "https://attack.mitre.org/mitigations/T1033", "source_name": "mitre-attack", "external_id": "T1033"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:21.484Z", "name": "System Owner/User Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--1881da33-fdf2-4eea-afd0-e04caf9c000f", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1120", "url": "https://attack.mitre.org/mitigations/T1120", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.899Z", "name": "Peripheral Device Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--19edfa02-1a5f-47e4-ad82-3288f57f64cf", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1115", "url": "https://attack.mitre.org/mitigations/T1115", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:19.205Z", "name": "Clipboard Data Mitigation", "description": "Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1144", "external_id": "T1144"}], "modified": "2019-07-24T19:32:43.572Z", "name": "Gatekeeper Bypass Mitigation", "description": "Other tools should be used to supplement Gatekeeper's functionality. Additionally, system settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--1c0711c8-2a73-48a1-893d-ff88bcd23824", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1029", "external_id": "T1029"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-25T11:39:28.002Z", "name": "Scheduled Transfer Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f1eb74e67", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1217", "url": "https://attack.mitre.org/mitigations/T1217", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.672Z", "name": "Browser Bookmark Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. For example, mitigating accesses to browser bookmark files will likely have unintended side effects such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--1c6bc7f3-d517-4971-aed4-8f939090846b", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1013", "external_id": "T1013"}, {"url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "source_name": "Beechey 2010"}], "modified": "2019-07-25T11:26:14.570Z", "name": "Port Monitors Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f", "type": "course-of-action", "created": "2019-06-11T16:30:16.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1035", "url": "https://attack.mitre.org/mitigations/M1035"}], "modified": "2020-06-09T20:51:00.027Z", "name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--1e4ef2c7-ee96-4484-9baa-3b5777561301", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1155", "external_id": "T1155"}, {"source_name": "applescript signing", "description": "Steven Sande. (2013, December 23). AppleScript and Automator gain new features in OS X Mavericks. Retrieved September 21, 2018.", "url": "https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/"}], "modified": "2019-07-24T14:31:55.409Z", "name": "AppleScript Mitigation", "description": "Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing (Citation: applescript signing). This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--1e614ba5-2fc5-4464-b512-2ceafb14d76d", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1202", "url": "https://attack.mitre.org/mitigations/T1202", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}, {"source_name": "SpectorOPs SettingContent-ms Jun 2018", "url": "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", "description": "Nelson, M. (2018, June 11). The Tale of SettingContent-ms Files. Retrieved April 18, 2019."}], "modified": "2021-08-23T20:25:19.370Z", "name": "Indirect Command Execution Mitigation", "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--1f34230d-b6ae-4dc7-8599-78c18820bd21", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1135", "url": "https://attack.mitre.org/mitigations/T1135", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.867Z", "name": "Network Share Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--20a2baeb-98c2-4901-bad7-dc62d0a03dea", "type": "course-of-action", "created": "2019-06-06T21:21:13.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1029", "url": "https://attack.mitre.org/mitigations/M1029"}], "modified": "2019-06-06T21:21:13.027Z", "name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", "type": "course-of-action", "created": "2019-06-11T16:33:55.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1037", "url": "https://attack.mitre.org/mitigations/M1037"}], "modified": "2020-06-20T20:46:36.342Z", "name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96", "type": "course-of-action", "created": "2019-06-06T20:52:59.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1021", "url": "https://attack.mitre.org/mitigations/M1021"}], "modified": "2019-06-06T20:52:59.206Z", "name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--23061b40-a7b6-454f-8950-95d5ff80331c", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1130", "url": "https://attack.mitre.org/mitigations/T1130", "source_name": "mitre-attack"}, {"source_name": "Wikipedia HPKP", "description": "Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.", "url": "https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning"}, {"url": "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "description": "Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.", "source_name": "SpectorOps Code Signing Dec 2017"}], "modified": "2020-03-31T12:49:14.885Z", "name": "Install Root Certificate Mitigation", "description": "HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)\n\nWindows Group Policy can be used to manage root certificates and the Flags
value of HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots
can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--23843cff-f7b9-4659-a7b7-713ef347f547", "type": "course-of-action", "created": "2019-06-11T16:26:52.202Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1033", "url": "https://attack.mitre.org/mitigations/M1033"}], "modified": "2019-06-11T16:26:52.202Z", "name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--23bff3ce-021c-4e7a-9aee-60fd40bc7c6c", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1169", "external_id": "T1169"}], "modified": "2019-07-25T12:03:12.876Z", "name": "Sudo Mitigation", "description": "The sudoers file should be strictly edited such that passwords are always required and that users can\u2019t spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--24478001-2eb3-4b06-a02e-96b3d61d27ec", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1079", "external_id": "T1079"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-25T11:15:39.400Z", "name": "Multilayer Encryption Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--245075bc-f992-4d89-af8c-834c53d403f4", "type": "course-of-action", "created": "2019-04-24T17:03:39.689Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1493", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1493"}], "modified": "2019-07-25T12:28:59.970Z", "name": "Transmitted Data Manipulation Mitigation", "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure communications related to those processes against tampering. Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--2497ac92-e751-4391-82c6-1b86e34d0294", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1020", "url": "https://attack.mitre.org/mitigations/T1020", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:22.459Z", "name": "Automated Exfiltration Mitigation", "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--25d5e1d8-c6fb-4735-bc57-115a21222f4b", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1010", "url": "https://attack.mitre.org/mitigations/T1010", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.664Z", "name": "Application Window Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-09-27T20:18:19.004Z", "name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "created": "2017-10-25T14:48:53.732Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1013", "external_id": "M1013"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--25e53928-6f33-49b7-baee-8180578286f6", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1019", "external_id": "T1019"}, {"source_name": "TCG Trusted Platform Module", "description": "Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016.", "url": "http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf"}], "modified": "2019-07-25T12:06:06.231Z", "name": "System Firmware Mitigation", "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Patch the BIOS and EFI as necessary. Use Trusted Platform Module technology. (Citation: TCG Trusted Platform Module)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--28adf6fd-ab6c-4553-9aa7-cef18a191f33", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1002", "url": "https://attack.mitre.org/mitigations/T1002", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.683Z", "name": "Data Compressed Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nIf network intrusion prevention or data loss prevention tools are set to block specific file types from leaving the network over unencrypted channels, then an adversary may move to an encrypted channel.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--2995bc22-2851-4345-ad19-4e7e295be264", "type": "course-of-action", "created": "2019-06-11T16:28:41.809Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1034", "url": "https://attack.mitre.org/mitigations/M1034"}], "modified": "2020-06-09T20:48:12.326Z", "name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", "type": "course-of-action", "created": "2019-06-06T16:50:04.963Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1017", "url": "https://attack.mitre.org/mitigations/M1017"}], "modified": "2020-10-21T19:08:13.228Z", "name": "User Training", "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "x_mitre_version": "1.2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1022", "url": "https://attack.mitre.org/mitigations/T1022", "source_name": "mitre-attack"}, {"url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "source_name": "Beechey 2010"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "source_name": "Corio 2008"}, {"url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "source_name": "TechNet Applocker vs SRP"}], "modified": "2021-08-23T20:25:19.310Z", "name": "Data Encrypted Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1083", "url": "https://attack.mitre.org/mitigations/T1083", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.120Z", "name": "File and Directory Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--2c2ad92a-d710-41ab-a996-1db143bb4808", "type": "course-of-action", "created": "2019-06-11T17:14:35.170Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1052", "url": "https://attack.mitre.org/mitigations/M1052"}], "modified": "2020-03-31T13:49:49.636Z", "name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--2c3ce852-06a2-40ee-8fe6-086f6402a739", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1062", "external_id": "T1062"}], "modified": "2019-07-24T19:37:57.004Z", "name": "Hypervisor Mitigation", "description": "Prevent adversary access to privileged accounts necessary to install a hypervisor.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--2d704e56-e689-4011-b989-bf4e025a8727", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1150", "external_id": "T1150"}], "modified": "2019-07-25T11:25:29.091Z", "name": "Plist Modification Mitigation", "description": "Prevent plist files from being modified by users by making them read-only.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-31T17:27:28.395Z", "name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "type": "course-of-action", "id": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1028", "external_id": "M1028"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--308855d1-078b-47ad-8d2a-8f9b2713ffb5", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1077", "url": "https://attack.mitre.org/mitigations/T1077", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.710Z", "name": "Windows Admin Shares Mitigation", "description": "Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to leverage SMB and the Windows admin shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--313c8b20-4d49-40c1-9ac0-4c573aca28f3", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1004", "url": "https://attack.mitre.org/mitigations/T1004", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}], "modified": "2020-01-17T16:45:24.244Z", "name": "Winlogon Helper DLL Mitigation", "description": "Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.\n\nIdentify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--337172b1-b003-4034-8a3f-1d89a71da628", "type": "course-of-action", "created": "2019-04-12T14:59:36.522Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"url": "https://attack.mitre.org/mitigations/T1494", "source_name": "mitre-attack", "external_id": "T1494"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:21.495Z", "name": "Runtime Data Manipulation Mitigation", "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure those systems against tampering. Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--33f76731-b840-446f-bee0-53687dad24d9", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1183", "url": "https://attack.mitre.org/mitigations/T1183", "source_name": "mitre-attack"}, {"source_name": "Microsoft IFEOorMalware July 2015", "description": "Microsoft. (2015, July 30). Part of Windows 10 or really Malware?. Retrieved December 18, 2017.", "url": "https://answers.microsoft.com/windows/forum/windows_10-security/part-of-windows-10-or-really-malware/af715663-a34a-423c-850d-2a46f369a54c"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}], "modified": "2020-01-17T16:45:23.882Z", "name": "Image File Execution Options Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify and block potentially malicious software that may be executed through IFEO by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executables.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--34d6a2ef-370e-4d21-a34b-6208b7c78f31", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1186", "external_id": "T1186"}, {"url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "source_name": "Beechey 2010"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "source_name": "Corio 2008"}, {"url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "source_name": "TechNet Applocker vs SRP"}], "modified": "2021-08-23T20:25:19.742Z", "name": "Process Doppelg\u00e4nging Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough Process Doppelg\u00e4nging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--34efb2fd-4dc2-40d4-a564-0c147c85034d", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1107", "url": "https://attack.mitre.org/mitigations/T1107", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.685Z", "name": "File Deletion Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--37a3f3f5-76e6-43fe-b935-f1f494c95725", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1211", "external_id": "T1211"}, {"url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", "source_name": "Ars Technica Pwn2Own 2017 VM Escape"}, {"url": "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "description": "Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.", "source_name": "TechNet Moving Beyond EMET"}, {"url": "https://en.wikipedia.org/wiki/Control-flow_integrity", "description": "Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.", "source_name": "Wikipedia Control Flow Integrity"}], "modified": "2019-07-24T19:25:39.532Z", "name": "Exploitation for Defense Evasion Mitigation", "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--383caaa3-c46a-4f61-b2e3-653eb132f0e7", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1114", "url": "https://attack.mitre.org/mitigations/T1114", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:19.380Z", "name": "Email Collection Mitigation", "description": "Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.\n\nUse of two-factor authentication for public-facing webmail servers is also a recommended best practice to minimize the usefulness of user names and passwords to adversaries.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to collect email data files or access the corporate email server, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--388606d3-f38f-45bf-885d-a9dc9df3c8a8", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1089", "external_id": "T1089"}], "modified": "2019-07-24T19:10:48.260Z", "name": "Disabling Security Tools Mitigation", "description": "Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--39706d54-0d06-4a25-816a-78cc43455100", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1025", "url": "https://attack.mitre.org/mitigations/T1025", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.688Z", "name": "Data from Removable Media Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--399d9038-b100-43ef-b28d-a5065106b935", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1095", "external_id": "T1095"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-25T12:01:33.997Z", "name": "Standard Non-Application Layer Protocol Mitigation", "description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1196", "url": "https://attack.mitre.org/mitigations/T1196", "source_name": "mitre-attack"}, {"url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "source_name": "Beechey 2010"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Microsoft UAC", "description": "Microsoft. (n.d.). User Account Control. Retrieved January 18, 2018.", "url": "https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx"}], "modified": "2020-01-17T16:45:23.678Z", "name": "Control Panel Items Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls and/or execution of particular file extensions will likely have unintended side effects, such as preventing legitimate software (i.e., drivers and configuration tools) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.\n\nRestrict storage and execution of Control Panel items to protected directories, such as C:\\Windows
, rather than user directories.\n\nIndex known safe Control Panel items and block potentially malicious software using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executable files.\n\nConsider fully enabling User Account Control (UAC) to impede system-wide changes from illegitimate administrators. (Citation: Microsoft UAC)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--3a476d83-43eb-4fad-9b75-b1febd834e3d", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1097", "url": "https://attack.mitre.org/mitigations/T1097", "source_name": "mitre-attack"}, {"url": "https://adsecurity.org/?p=556", "description": "Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016.", "source_name": "ADSecurity AD Kerberos Attacks"}, {"url": "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf", "description": "Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.", "source_name": "CERT-EU Golden Ticket Protection"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:21.478Z", "name": "Pass the Ticket Mitigation", "description": "Monitor domains for unusual credential logons. Limit credential overlap across systems to prevent the damage of credential compromise. Ensure that local administrator accounts have complex, unique passwords. Do not allow a user to be a local administrator for multiple systems. Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. (Citation: ADSecurity AD Kerberos Attacks)\n\nFor containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. (Citation: CERT-EU Golden Ticket Protection)\n\nAttempt to identify and block unknown or malicious software that could be used to obtain Kerberos tickets and use them to authenticate by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--3bd2cf87-1ceb-4317-9aee-3e7dc713261b", "type": "course-of-action", "created": "2019-02-18T17:22:57.941Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1483", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1483"}, {"description": "Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019.", "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf", "source_name": "Cybereason Dissecting DGAs"}, {"source_name": "Cisco Umbrella DGA Brute Force", "url": "https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/", "description": "Kasza, A. (2015, February 18). Using Algorithms to Brute Force Algorithms. Retrieved February 18, 2019."}, {"description": "Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of Domain Generation Algorithms. Retrieved February 18, 2019.", "url": "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html", "source_name": "Akamai DGA Mitigation"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-24T19:13:31.378Z", "name": "Domain Generation Algorithms Mitigation", "description": "This technique may be difficult to mitigate since the domains can be registered just before they are used, and disposed shortly after. Malware researchers can reverse-engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--3e7018e9-7389-48e7-9208-0bdbcbba9483", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1146", "external_id": "T1146"}, {"url": "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory", "description": "Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.", "source_name": "Securing bash history"}], "modified": "2019-07-24T18:05:00.492Z", "name": "Clear Command History Mitigation", "description": "Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history
files. Additionally, making these environment variables readonly can make sure that the history is preserved (Citation: Securing bash history).", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--3e9f8875-d2f7-4380-a578-84393bd3b025", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1028", "url": "https://attack.mitre.org/mitigations/T1028", "source_name": "mitre-attack"}, {"source_name": "NSA Spotting", "description": "National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018.", "url": "https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm"}], "modified": "2020-01-17T16:46:19.274Z", "name": "Windows Remote Management Mitigation", "description": "Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices. (Citation: NSA Spotting)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--3efe43d1-6f3f-4fcb-ab39-4a730971f70b", "type": "course-of-action", "created": "2019-07-19T14:33:33.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1053", "url": "https://attack.mitre.org/mitigations/M1053"}], "modified": "2020-03-31T13:11:28.201Z", "name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--402e92cd-5608-4f4b-9a34-a2c962e4bcd7", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1160", "external_id": "T1160"}], "modified": "2019-07-24T19:48:23.825Z", "name": "Launch Daemon Mitigation", "description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--417fed8c-bd76-48b5-90a2-a88882a95241", "type": "course-of-action", "created": "2019-04-24T17:01:10.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1489", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1489"}], "modified": "2019-07-25T11:42:52.240Z", "name": "Service Stop Mitigation", "description": "Ensure proper process, registry, and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Harden systems used to serve critical network, business, and communications functions. Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--41cff8e9-fd05-408e-b3d5-d98c54c20bcf", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1184", "external_id": "T1184"}, {"url": "https://www.symantec.com/connect/articles/ssh-and-ssh-agent", "description": "Hatch, B. (2004, November 22). SSH and ssh-agent. Retrieved January 8, 2018.", "source_name": "Symantec SSH and ssh-agent"}], "modified": "2019-07-25T11:38:28.944Z", "name": "SSH Hijacking Mitigation", "description": "Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. Ensure that all private keys are stored securely in locations where only the legitimate owner has access to with strong passwords and are rotated frequently. Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. Do not allow remote access via SSH as root or other privileged accounts. Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. (Citation: Symantec SSH and ssh-agent)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--429a5c0c-e132-45c0-a4aa-c1f736c92a1c", "type": "course-of-action", "created": "2019-03-15T14:49:53.983Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"url": "https://attack.mitre.org/mitigations/T1486", "source_name": "mitre-attack", "external_id": "T1486"}, {"source_name": "Ready.gov IT DRP", "url": "https://www.ready.gov/business/implementation/IT", "description": "Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019."}, {"url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "source_name": "Beechey 2010"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "source_name": "Corio 2008"}, {"url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "source_name": "TechNet Applocker vs SRP"}], "modified": "2021-08-23T20:25:21.498Z", "name": "Data Encrypted for Impact Mitigation", "description": "Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP)\n\nIn some cases, the means to decrypt files affected by a ransomware campaign is released to the public. Research trusted sources for public releases of decryptor tools/keys to reverse the effects of ransomware.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--4320b080-9ae9-4541-9b8b-bcd0961dbbbd", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1074", "external_id": "T1074"}], "modified": "2019-07-24T19:05:13.374Z", "name": "Data Staged Mitigation", "description": "Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1051", "external_id": "T1051"}, {"url": "https://www.acunetix.com/websitesecurity/webserver-security/", "description": "Acunetix. (n.d.). Web Server Security and Database Server Security. Retrieved July 26, 2018.", "source_name": "acunetix Server Secuirty"}, {"url": "https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf", "description": "Scarfone, K. et al.. (2008, July). NIST Special Publication 800-123 - Guide to General Server Security. Retrieved July 26, 2018.", "source_name": "NIST Server Security July 2008"}], "modified": "2019-07-25T11:43:54.859Z", "name": "Shared Webroot Mitigation", "description": "Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use, unauthenticated network share access, and network/system isolation.\n\nEnsure proper permissions on directories that are accessible through a Web server. Disallow remote access to the webroot or other directories used to serve Web content. Disable execution on directories within the webroot. Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems. (Citation: acunetix Server Secuirty) (Citation: NIST Server Security July 2008)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--44155d14-ca75-4fdf-b033-ab3d732e2884", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1215", "external_id": "T1215"}, {"url": "http://rkhunter.sourceforge.net", "description": "Rootkit Hunter Project. (2018, February 20). The Rootkit Hunter project. Retrieved April 9, 2018.", "source_name": "SourceForge rkhunter"}, {"url": "http://www.chkrootkit.org/", "description": "Murilo, N., Steding-Jessen, K. (2017, August 23). Chkrootkit. Retrieved April 9, 2018.", "source_name": "Chkrootkit Main"}, {"url": "https://patchwork.kernel.org/patch/8754821/", "description": "Vander Stoep, J. (2016, April 5). [v3] selinux: restrict kernel module loadinglogin register. Retrieved April 9, 2018.", "source_name": "Kernel.org Restrict Kernel Module"}], "modified": "2019-07-24T19:44:56.371Z", "name": "Kernel Modules and Extensions Mitigation", "description": "Common tools for detecting Linux rootkits include: rkhunter (Citation: SourceForge rkhunter), chrootkit (Citation: Chkrootkit Main), although rootkits may be designed to evade certain detection tools.\n\nLKMs and Kernel extensions require root level permissions to be installed. Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities.\n\nApplication whitelisting and software restriction tools, such as SELinux, can also aide in restricting kernel module loading. (Citation: Kernel.org Restrict Kernel Module)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--4490fee2-5c70-4db3-8db5-8d88767dbd55", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1214", "external_id": "T1214"}], "modified": "2019-07-24T14:22:57.902Z", "name": "Credentials in Registry Mitigation", "description": "Do not store credentials within the Registry. Proactively search for credentials within Registry keys and attempt to remediate the risk. If necessary software must store credentials, then ensure those accounts have limited permissions so they cannot be abused if obtained by an adversary.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--45e7f570-6a0b-4095-bf02-4bca05da6bae", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1036", "url": "https://attack.mitre.org/mitigations/T1036", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:19.740Z", "name": "Masquerading Mitigation", "description": "When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\\Windows\\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.\n\nIdentify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--4689b9fb-dca4-473e-831b-34717ad50c97", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1102", "external_id": "T1102"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-25T12:34:04.565Z", "name": "Web Service Mitigation", "description": "Firewalls and Web proxies can be used to enforce external network communication policy. It may be difficult for an organization to block particular services because so many of them are commonly used during the course of business.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol or encoded commands used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--46acc565-11aa-40ba-b629-33ba0ab9b07b", "type": "course-of-action", "created": "2019-04-24T16:59:33.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"url": "https://attack.mitre.org/mitigations/T1496", "source_name": "mitre-attack", "external_id": "T1496"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:24.247Z", "name": "Resource Hijacking Mitigation", "description": "Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1040", "url": "https://attack.mitre.org/mitigations/T1040", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.909Z", "name": "Network Sniffing Mitigation", "description": "Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.\n\nIdentify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db", "type": "course-of-action", "created": "2019-06-11T16:35:25.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1038", "url": "https://attack.mitre.org/mitigations/M1038"}], "modified": "2022-02-28T19:50:41.210Z", "name": "Execution Prevention", "description": "Block execution of code on a system through application control, and/or script blocking.", "x_mitre_version": "1.2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--49961e75-b493-423a-9ec7-ac2d6f55384a", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1201", "external_id": "T1201"}, {"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements", "description": "Hall, J., Lich, B. (2017, September 9). Password must meet complexity requirements. Retrieved April 5, 2018.", "source_name": "Microsoft Password Complexity"}], "modified": "2019-07-25T11:22:39.929Z", "name": "Password Policy Discovery Mitigation", "description": "Mitigating discovery of password policies is not advised since the information is required to be known by systems and users of a network. Ensure password policies are such that they mitigate brute force attacks yet will not give an adversary an information advantage because the policies are too light. Active Directory is a common way to set and enforce password policies throughout an enterprise network. (Citation: Microsoft Password Complexity)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-21T15:51:57.176Z", "name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--49c06d54-9002-491d-9147-8efb537fbd26", "created": "2019-06-11T16:47:12.859Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1043", "external_id": "M1043"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--4a99fecc-680b-448e-8fe7-8144c60d272c", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1110", "external_id": "T1110"}, {"source_name": "NIST 800-63-3", "url": "https://pages.nist.gov/800-63-3/sp800-63b.html", "description": "Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019."}], "modified": "2019-07-24T18:03:10.785Z", "name": "Brute Force Mitigation", "description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. \nToo strict a policy can create a denial of service condition and render environments un-usable, with all accounts being locked-out permanently. Use multifactor authentication. Follow best practices for mitigating access to [Valid Accounts](https://attack.mitre.org/techniques/T1078)\n\nRefer to NIST guidelines when creating passwords.(Citation: NIST 800-63-3)\n\nWhere possible, also enable multi factor authentication on external facing services.", "x_mitre_deprecated": true, "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--4b998a71-7b8f-4dcc-8f3f-277f2e740271", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1066", "external_id": "T1066"}, {"url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "source_name": "Beechey 2010"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "source_name": "Corio 2008"}, {"url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "source_name": "TechNet Applocker vs SRP"}], "modified": "2021-08-23T20:25:19.753Z", "name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.\n\nIdentify and block potentially malicious software that may be used by an adversary by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1156", "external_id": "T1156"}], "modified": "2019-07-24T14:02:53.251Z", "name": ".bash_profile and .bashrc Mitigation", "description": "Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--51048ba0-a5aa-41e7-bf5d-993cd217dfb2", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1216", "external_id": "T1216"}], "modified": "2019-07-25T11:45:01.486Z", "name": "Signed Script Proxy Execution Mitigation", "description": "Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--514e7371-a344-4de7-8ec3-3aa42b801d52", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1104", "external_id": "T1104"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-25T11:14:24.192Z", "name": "Multi-Stage Channels Mitigation", "description": "Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--515f6584-fa98-44fe-a4e8-e428c7188514", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1008", "external_id": "T1008"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-24T19:28:35.941Z", "name": "Fallback Channels Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--51b37302-b844-4c08-ac98-ae6955ed1f55", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1113", "url": "https://attack.mitre.org/mitigations/T1113", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:24.643Z", "name": "Screen Capture Mitigation", "description": "Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--5391ece4-8866-415d-9b5e-8dc5944f612a", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1153", "external_id": "T1153"}], "modified": "2019-07-25T11:45:45.651Z", "name": "Source Mitigation", "description": "Due to potential legitimate uses of source commands, it's may be difficult to mitigate use of this technique.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--53b3b027-bed3-480c-9101-1247047d0fe6", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1076", "external_id": "T1076"}, {"url": "https://security.berkeley.edu/node/94", "description": "Berkeley Security, University of California. (n.d.). Securing Remote Desktop for System Administrators. Retrieved November 4, 2014.", "source_name": "Berkley Secure"}, {"url": "https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx", "description": "Microsoft. (n.d.). Configure Timeout and Reconnection Settings for Remote Desktop Services Sessions. Retrieved December 11, 2017.", "source_name": "Windows RDP Sessions"}], "modified": "2019-07-25T11:33:10.069Z", "name": "Remote Desktop Protocol Mitigation", "description": "Disable the RDP service if it is unnecessary, remove unnecessary accounts and groups from Remote Desktop Users groups, and enable firewall rules to block RDP traffic between network security zones. Audit the Remote Desktop Users group membership regularly. Remove the local Administrators group from the list of groups allowed to log in through RDP. Limit remote user permissions if remote access is necessary. Use remote desktop gateways and multifactor authentication for remote logins. (Citation: Berkley Secure) Do not leave RDP accessible from the internet. Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server. (Citation: Windows RDP Sessions)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--54246e2e-683f-4bf2-be4c-d7d5a60e7d22", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1171", "external_id": "T1171"}, {"source_name": "ADSecurity Windows Secure Baseline", "description": "Metcalf, S. (2016, October 21). Securing Windows Workstations: Developing a Secure Baseline. Retrieved November 17, 2017.", "url": "https://adsecurity.org/?p=3299"}, {"source_name": "byt3bl33d3r NTLM Relaying", "url": "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html", "description": "Salvati, M. (2017, June 2). Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February 7, 2019."}, {"source_name": "Secure Ideas SMB Relay", "url": "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html", "description": "Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019."}, {"description": "Microsoft. (2008, September 10). Using SMB Packet Signing. Retrieved February 7, 2019.", "url": "https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10)", "source_name": "Microsoft SMB Packet Signing"}], "modified": "2019-07-24T19:46:41.947Z", "name": "LLMNR/NBT-NS Poisoning Mitigation", "description": "Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)\n\nUse host-based security software to block LLMNR/NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)(Citation: Microsoft SMB Packet Signing)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--548bf7ad-e19c-4d74-84bf-84ac4e57f505", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1204", "external_id": "T1204"}], "modified": "2019-07-25T12:31:53.804Z", "name": "User Execution Mitigation", "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.\n\nIf a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .lnk, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and RAR that may be used to conceal malicious files in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).\n\nIf a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--54e8722d-2faf-4b1b-93b6-6cbf9551669f", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1200", "external_id": "T1200"}, {"url": "https://en.wikipedia.org/wiki/IEEE_802.1X", "description": "Wikipedia. (2018, March 30). IEEE 802.1X. Retrieved April 11, 2018.", "source_name": "Wikipedia 802.1x"}], "modified": "2019-07-24T19:35:08.161Z", "name": "Hardware Additions Mitigation", "description": "Establish network access control policies, such as using device certificates and the 802.1x standard. (Citation: Wikipedia 802.1x) Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems. \n\nBlock unknown devices and accessories by endpoint security configuration and monitoring agent.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--56648de3-8947-4559-90c4-eda10acc0f5a", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1142", "external_id": "T1142"}], "modified": "2019-07-24T19:45:38.627Z", "name": "Keychain Mitigation", "description": "The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--57019a80-8523-46b6-be7d-f763a15a2cc6", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1064", "external_id": "T1064"}, {"url": "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/", "description": "Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.", "source_name": "Microsoft Block Office Macros"}, {"source_name": "Ars Technica Pwn2Own 2017 VM Escape", "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"}], "modified": "2019-07-25T11:40:52.342Z", "name": "Scripting Mitigation", "description": "Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.\n\nConfigure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. (Citation: Microsoft Block Office Macros) Other types of virtualization and application microsegmentation may also mitigate the impact of compromise. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312", "type": "course-of-action", "created": "2019-06-11T17:01:25.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1045", "url": "https://attack.mitre.org/mitigations/M1045"}], "modified": "2020-05-20T13:12:02.881Z", "name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--5c167af7-c2cb-42c8-ae67-3fb275bf8488", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1099", "url": "https://attack.mitre.org/mitigations/T1099", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:24.250Z", "name": "Timestomp Mitigation", "description": "Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--5c49bc54-9929-48ca-b581-7018219b5a97", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1087", "url": "https://attack.mitre.org/mitigations/T1087", "source_name": "mitre-attack"}, {"url": "https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077", "description": "UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.", "source_name": "UCF STIG Elevation Account Enumeration"}, {"url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "source_name": "Beechey 2010"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "source_name": "Corio 2008"}, {"url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "source_name": "TechNet Applocker vs SRP"}], "modified": "2021-08-23T20:25:18.116Z", "name": "Account Discovery Mitigation", "description": "Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators
. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--5d8507c4-603e-4fe1-8a4a-b8241f58734b", "type": "course-of-action", "created": "2019-04-08T17:51:41.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1491", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1491"}, {"description": "OWASP. (2017, April 16). OWASP Top 10 2017 - The Ten Most Critical Web Application Security Risks. Retrieved February 12, 2019.", "url": "https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/", "source_name": "OWASP Top 10 2017"}], "modified": "2020-07-14T22:23:56.026Z", "name": "Defacement Mitigation", "description": "Implementing best practices for websites such as defending against [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) (Citation: OWASP Top 10 2017). Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. (Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--609191bf-7d06-40e4-b1f8-9e11eb3ff8a6", "type": "course-of-action", "created": "2019-06-11T16:40:14.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1039", "url": "https://attack.mitre.org/mitigations/M1039"}], "modified": "2019-06-11T16:40:14.543Z", "name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--61d02387-351a-453e-a575-160a9abc3e04", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1164", "external_id": "T1164"}, {"url": "https://support.apple.com/en-us/HT204005", "description": "Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017.", "source_name": "Re-Open windows on Mac"}], "modified": "2019-07-25T11:30:18.799Z", "name": "Re-opened Applications Mitigation", "description": "Holding the Shift key while logging in prevents apps from opening automatically (Citation: Re-Open windows on Mac). This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no
.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--624d063d-cda8-4616-b4e4-54c04e427aec", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1128", "url": "https://attack.mitre.org/mitigations/T1128", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}], "modified": "2020-01-17T16:45:23.652Z", "name": "Netsh Helper DLL Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--62ae52c9-7197-4f5b-be1d-10d2e1df2c96", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1172", "external_id": "T1172"}, {"url": "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.", "source_name": "FireEye APT29 Domain Fronting With TOR March 2017"}, {"url": "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", "description": "Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.", "source_name": "Mandiant No Easy Breach"}], "modified": "2019-07-24T19:12:36.946Z", "name": "Domain Fronting Mitigation", "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be Domain Fronting.\n\nIn order to use domain fronting, attackers will likely need to deploy additional tools to compromised systems. (Citation: FireEye APT29 Domain Fronting With TOR March 2017) (Citation: Mandiant No Easy Breach) It may be possible to detect or prevent the installation of these tools with Host-based solutions.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--65401701-019d-44ff-b223-08d520bb0e7b", "type": "course-of-action", "created": "2021-08-04T21:22:11.612Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1057", "url": "https://attack.mitre.org/mitigations/M1057"}, {"source_name": "PurpleSec Data Loss Prevention", "url": "https://purplesec.us/data-loss-prevention/", "description": "Michael Swanagan. (2020, October 24). 7 Data Loss Prevention Best Practices & Strategies. Retrieved August 30, 2021."}], "modified": "2021-08-30T15:00:10.680Z", "name": "Data Loss Prevention", "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--654addf1-47ab-410a-8578-e1a0dc2a49b8", "type": "course-of-action", "created": "2019-04-19T18:46:47.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1498", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1498"}, {"description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019.", "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf", "source_name": "CERT-EU DDoS March 2017"}], "modified": "2019-07-25T11:16:48.088Z", "name": "Network Denial of Service Mitigation", "description": "When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citation: CERT-EU DDoS March 2017)\n\nDepending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.(Citation: CERT-EU DDoS March 2017)\n\nAs immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.(Citation: CERT-EU DDoS March 2017)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--65da1eb6-d35d-4853-b280-98a76c0aef53", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1190", "external_id": "T1190"}], "modified": "2019-07-24T19:21:22.911Z", "name": "Exploit Public-Facing Application Mitigation", "description": "Application isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.\n\nSegment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n\nUse secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.\n\nRegularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--676975b9-7e8e-463d-a31e-4ed2ecbfed81", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1109", "external_id": "T1109"}], "modified": "2019-07-24T18:10:06.475Z", "name": "Component Firmware Mitigation", "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique.\n\nConsider removing and replacing system components suspected of being compromised.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--684feec3-f9ba-4049-9d8f-52d52f3e0e40", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1016", "url": "https://attack.mitre.org/mitigations/T1016", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.705Z", "name": "System Network Configuration Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--6cac62ce-550b-4793-8ee6-6a1b8836edb0", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1070", "external_id": "T1070"}], "modified": "2019-07-24T19:40:27.401Z", "name": "Indicator Removal on Host Mitigation", "description": "Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--6e7db820-9735-4545-bc64-039bc4ce354b", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1149", "external_id": "T1149"}], "modified": "2019-07-24T19:46:16.474Z", "name": "LC_MAIN Hijacking Mitigation", "description": "Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7009ba4d-83d4-4851-9fbb-e09e28497765", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1187", "external_id": "T1187"}, {"url": "https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices", "description": "US-CERT. (2017, March 16). SMB Security Best Practices. Retrieved December 21, 2017.", "source_name": "US-CERT SMB Security"}, {"source_name": "US-CERT APT Energy Oct 2017", "description": "US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A"}], "modified": "2019-07-24T19:32:11.883Z", "name": "Forced Authentication Mitigation", "description": "Block SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. Filter or block WebDAV protocol traffic from exiting the network. If access to external resources over SMB and WebDAV is necessary, then traffic should be tightly limited with whitelisting. (Citation: US-CERT SMB Security) (Citation: US-CERT APT Energy Oct 2017)\n\nFor internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\n\nUse strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--70886857-0f19-4caa-b081-548354a8a994", "type": "course-of-action", "created": "2019-04-26T19:30:33.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1495", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1495"}], "modified": "2019-07-24T19:31:37.073Z", "name": "Firmware Corruption Mitigation", "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. ", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--72dade3e-1cba-4182-b3b3-a77ca52f02a1", "type": "course-of-action", "created": "2019-06-06T21:08:58.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1025", "url": "https://attack.mitre.org/mitigations/M1025"}], "modified": "2020-05-20T13:13:48.900Z", "name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--752db800-ea54-4e7a-b4c1-2a0292350ea7", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1188", "external_id": "T1188"}], "modified": "2019-07-25T11:14:52.662Z", "name": "Multi-hop Proxy Mitigation", "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network black and white lists. It should be noted that this kind of blocking may be circumvented by other techniques like [Domain Fronting](https://attack.mitre.org/techniques/T1172).", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7708ac15-4beb-4863-a1a5-da2d63fb8a3c", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1220", "external_id": "T1220"}], "modified": "2019-07-25T12:36:43.778Z", "name": "XSL Script Processing Mitigation", "description": "[Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and/or msxsl.exe may or may not be used within a given environment. Disabling WMI may cause system instability and should be evaluated to assess the impact to a network. If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--77fd4d73-6b79-4593-82e7-e4a439cc7604", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1161", "external_id": "T1161"}], "modified": "2019-07-24T19:45:55.012Z", "name": "LC_LOAD_DYLIB Addition Mitigation", "description": "Enforce that all binaries be signed by the correct Apple Developer IDs, and whitelist applications via known hashes. Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\u2019t included as part of an update, it should be investigated.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--787fb64d-c87b-4ee5-a341-0ef17ec4c15c", "type": "course-of-action", "created": "2019-07-19T14:58:42.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1055", "url": "https://attack.mitre.org/mitigations/M1055"}], "modified": "2019-07-23T14:44:24.727Z", "name": "Do Not Mitigate", "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", "type": "course-of-action", "created": "2020-10-19T14:57:58.771Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1056", "url": "https://attack.mitre.org/mitigations/M1056"}], "modified": "2020-10-20T19:52:32.439Z", "name": "Pre-compromise", "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--797312d4-8a84-4daf-9c56-57da4133c322", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1199", "external_id": "T1199"}], "modified": "2019-07-25T12:30:35.417Z", "name": "Trusted Relationship Mitigation", "description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. Vet the security policies and procedures of organizations that are contracted for work that require privileged access to network resources.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7a14d974-f3d9-4e4e-9b7d-980385762908", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1073", "external_id": "T1073"}], "modified": "2019-07-24T14:24:44.818Z", "name": "DLL Side-Loading Mitigation", "description": "Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7a4d0054-53cd-476f-88af-955dddc80ee0", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1189", "external_id": "T1189"}, {"url": "https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/", "description": "Cowan, C. (2017, March 23). Strengthening the Microsoft Edge Sandbox. Retrieved March 12, 2018.", "source_name": "Windows Blogs Microsoft Edge Sandbox"}, {"url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", "source_name": "Ars Technica Pwn2Own 2017 VM Escape"}, {"url": "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "description": "Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.", "source_name": "TechNet Moving Beyond EMET"}, {"url": "https://en.wikipedia.org/wiki/Control-flow_integrity", "description": "Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.", "source_name": "Wikipedia Control Flow Integrity"}], "modified": "2019-07-24T19:14:33.952Z", "name": "Drive-by Compromise Mitigation", "description": "Drive-by compromise relies on there being a vulnerable piece of software on the client end systems. Use modern browsers with security features turned on. Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique.\n\nFor malicious code served up through ads, adblockers can help prevent that code from executing in the first place. Script blocking extensions can help prevent the execution of JavaScript that may commonly be used during the exploitation process.\n\nBrowser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7a6e5ca3-562f-4185-a323-f3b62b5b2e6b", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1177", "external_id": "T1177"}, {"source_name": "Microsoft LSA Protection Mar 2014", "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.", "url": "https://technet.microsoft.com/library/dn408187.aspx"}, {"url": "https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage", "description": "Lich, B., Tobin, J., Hall, J. (2017, April 5). Manage Windows Defender Credential Guard. Retrieved November 27, 2017.", "source_name": "Microsoft Enable Cred Guard April 2017"}, {"url": "https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works", "description": "Lich, B., Tobin, J. (2017, April 5). How Windows Defender Credential Guard works. Retrieved November 27, 2017.", "source_name": "Microsoft Credential Guard April 2017"}, {"source_name": "Microsoft DLL Security", "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.", "url": "https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx"}], "modified": "2019-07-24T19:47:23.978Z", "name": "LSASS Driver Mitigation", "description": "On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL
to dword:00000001
. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.\n\nOn Windows 10 and Server 2016, enable Windows Defender Credential Guard (Citation: Microsoft Enable Cred Guard April 2017) to run lsass.exe in an isolated virtualized environment without any device drivers. (Citation: Microsoft Credential Guard April 2017)\n\nEnsure safe DLL search mode is enabled HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode
to mitigate risk that lsass.exe loads a malicious code library. (Citation: Microsoft DLL Security)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7aee8ea0-0baa-4232-b379-5d9ce98352cf", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1179", "external_id": "T1179"}], "modified": "2019-07-24T19:37:27.850Z", "name": "Hooking Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7bb5fae9-53ad-4424-866b-f0ea2a8b731d", "type": "course-of-action", "created": "2019-06-06T20:15:34.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1020", "url": "https://attack.mitre.org/mitigations/M1020"}], "modified": "2019-06-06T20:15:34.146Z", "name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7c1796c7-9fc3-4c3e-9416-527295bf5d95", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1043", "external_id": "T1043"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-24T14:17:58.966Z", "name": "Commonly Used Port Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7c39ebbf-244e-4d1c-b0ac-b282453ece43", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1093", "url": "https://attack.mitre.org/mitigations/T1093", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:18.615Z", "name": "Process Hollowing Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. \n\nAlthough process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb", "type": "course-of-action", "created": "2019-06-11T17:02:36.984Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1046", "url": "https://attack.mitre.org/mitigations/M1046"}], "modified": "2020-05-19T12:28:50.603Z", "name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--7ee0879d-ce4f-4f54-a96b-c532dfb98ffd", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1005", "url": "https://attack.mitre.org/mitigations/T1005", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:19.372Z", "name": "Data from Local System Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--809b79cd-be78-4597-88d1-5496d1d9993a", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1154", "external_id": "T1154"}], "modified": "2019-07-25T12:29:22.784Z", "name": "Trap Mitigation", "description": "Due to potential legitimate uses of trap commands, it's may be difficult to mitigate use of this technique.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--80c91478-ac87-434f-bee7-11f37aec4d74", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1173", "external_id": "T1173"}, {"source_name": "Microsoft DDE Advisory Nov 2017", "description": "Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.", "url": "https://technet.microsoft.com/library/security/4053440"}, {"url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", "description": "Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.", "source_name": "BleepingComputer DDE Disabled in Word Dec 2017"}, {"url": "https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b", "description": "Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.", "source_name": "GitHub Disable DDEAUTO Oct 2017"}, {"source_name": "Microsoft ADV170021 Dec 2017", "description": "Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.", "url": "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021"}, {"url": "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653", "description": "Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.", "source_name": "Microsoft Protected View"}, {"source_name": "Enigma Reviving DDE Jan 2018", "description": "Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.", "url": "https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee"}, {"url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction", "description": "Brower, N. & D'Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018.", "source_name": "Microsoft ASR Nov 2017"}], "modified": "2019-07-24T19:15:27.335Z", "name": "Dynamic Data Exchange Mitigation", "description": "Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017) (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. (Citation: Microsoft ADV170021 Dec 2017)\n\nEnsure Protected View is enabled (Citation: Microsoft Protected View) and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. (Citation: Enigma Reviving DDE Jan 2018) (Citation: GitHub Disable DDEAUTO Oct 2017)\n\nOn Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. (Citation: Microsoft ASR Nov 2017) (Citation: Enigma Reviving DDE Jan 2018)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--82c21600-ccb6-4232-8c04-ef3792b56628", "type": "course-of-action", "created": "2019-04-22T22:03:26.087Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1499", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1499"}, {"description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019.", "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf", "source_name": "CERT-EU DDoS March 2017"}], "modified": "2019-07-24T19:16:50.511Z", "name": "Endpoint Denial of Service Mitigation", "description": "Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.(Citation: CERT-EU DDoS March 2017) Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--82d8e990-c901-4aed-8596-cc002e7eb307", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1124", "url": "https://attack.mitre.org/mitigations/T1124", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:24.239Z", "name": "System Time Discovery Mitigation", "description": "Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--82fbc58b-171d-4a2d-9a20-c6b2a716bd08", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1116", "url": "https://attack.mitre.org/mitigations/T1116", "source_name": "mitre-attack"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "TechNet Trusted Publishers", "description": "Microsoft. (n.d.). Manage Trusted Publishers. Retrieved March 31, 2016.", "url": "https://technet.microsoft.com/en-us/library/cc733026.aspx"}, {"source_name": "Securelist Digital Certificates", "description": "Ladikov, A. (2015, January 29). Why You Shouldn\u2019t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.", "url": "https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/"}], "modified": "2020-01-17T16:45:23.319Z", "name": "Code Signing Mitigation", "description": "Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--83130e62-bca6-4a81-bd4b-8e233bd49db6", "type": "course-of-action", "created": "2019-04-23T20:33:09.318Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1501", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1501"}], "modified": "2019-07-25T12:26:37.946Z", "name": "Systemd Service Mitigation", "description": "The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. Limit user access to system utilities such as systemctl to only users who have a legitimate need. Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. Additionally, the installation of software commonly adds and changes systemd service unit files. Restrict software installation to trusted repositories only and be cautious of orphaned software packages. Utilize malicious code protection and application whitelisting to mitigate the ability of malware to create or modify systemd services. ", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--84d633a4-dd93-40ca-8510-40238c021931", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1158", "external_id": "T1158"}], "modified": "2019-07-24T19:35:33.631Z", "name": "Hidden Files and Directories Mitigation", "description": "Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", "type": "course-of-action", "created": "2019-06-10T20:41:03.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1030", "url": "https://attack.mitre.org/mitigations/M1030"}], "modified": "2020-05-14T13:05:39.500Z", "name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--874c0166-e407-45c2-a1d9-e4e3a6570fd8", "type": "course-of-action", "created": "2019-06-06T19:55:50.927Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1019", "url": "https://attack.mitre.org/mitigations/M1019"}], "modified": "2019-06-06T19:55:50.927Z", "name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1141", "external_id": "T1141"}], "modified": "2019-07-24T19:42:41.375Z", "name": "Input Prompt Mitigation", "description": "This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to mitigate. Use user training as a way to bring awareness and raise suspicion for potentially malicious events (ex: Office documents prompting for credentials).", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--8b36d944-f274-4d46-9acd-dbba6927ce7a", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1060", "url": "https://attack.mitre.org/mitigations/T1060", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.869Z", "name": "Registry Run Keys / Startup Folder Mitigation", "description": "Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--8bd1ae32-a686-48f4-a6f8-470287f76152", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1119", "url": "https://attack.mitre.org/mitigations/T1119", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:18.154Z", "name": "Automated Collection Mitigation", "description": "Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. A keylogger installed on a system may be able to intercept passwords through [Input Capture](https://attack.mitre.org/techniques/T1056) and be used to decrypt protected documents that an adversary may have collected. Strong passwords should be used to prevent offline cracking of encrypted documents through [Brute Force](https://attack.mitre.org/techniques/T1110) techniques.\n\nIdentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to collect files and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--8c918d8a-11c5-4ffd-af10-e74bc06bdfae", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1085", "external_id": "T1085"}, {"source_name": "Secure Host Baseline EMET", "description": "National Security Agency. (2016, May 4). Secure Host Baseline EMET. Retrieved June 22, 2016.", "url": "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET"}], "modified": "2019-07-25T11:36:40.673Z", "name": "Rundll32 Mitigation", "description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass whitelisting. (Citation: Secure Host Baseline EMET)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--8f6b5ca6-263a-4ea9-98f3-afd2a3cd8119", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1193", "external_id": "T1193"}], "modified": "2019-07-25T11:50:34.690Z", "name": "Spearphishing Attachment Mitigation", "description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nBlock unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).\n\nBecause this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails. To prevent the attachments from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--902286b2-96cc-4dd7-931f-e7340c9961da", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1006", "url": "https://attack.mitre.org/mitigations/T1006", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:19.208Z", "name": "File System Logical Offsets Mitigation", "description": "Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-21T15:52:23.327Z", "name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "type": "course-of-action", "id": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", "created": "2019-06-06T21:10:35.792Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1027", "external_id": "M1027"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46", "type": "course-of-action", "created": "2019-06-11T16:43:05.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1040", "url": "https://attack.mitre.org/mitigations/M1040"}], "modified": "2019-06-11T16:43:05.712Z", "name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--910482b1-6749-4934-abcb-3e34d58294fc", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1175", "external_id": "T1175"}, {"source_name": "Microsoft Process Wide Com Keys", "description": "Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.", "url": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx"}, {"source_name": "Microsoft System Wide Com Keys", "description": "Microsoft. (n.d.). Registry Values for System-Wide Security. Retrieved November 21, 2017.", "url": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx"}, {"source_name": "Microsoft COM ACL", "description": "Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.", "url": "https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1"}, {"url": "https://technet.microsoft.com/library/cc771387.aspx", "description": "Microsoft. (n.d.). Enable or Disable DCOM. Retrieved November 22, 2017.", "source_name": "Microsoft Disable DCOM"}, {"url": "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653", "description": "Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.", "source_name": "Microsoft Protected View"}], "modified": "2019-07-24T19:12:02.818Z", "name": "Distributed Component Object Model Mitigation", "description": "Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID}
associated with the process-wide security of individual COM applications. (Citation: Microsoft Process Wide Com Keys)\n\nModify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole
associated with system-wide security defaults for all COM applications that do no set their own process-wide security. (Citation: Microsoft System Wide Com Keys) (Citation: Microsoft COM ACL)\n\nConsider disabling DCOM through Dcomcnfg.exe. (Citation: Microsoft Disable DCOM)\n\nEnable Windows firewall, which prevents DCOM instantiation by default.\n\nEnsure all COM alerts and Protected View are enabled. (Citation: Microsoft Protected View)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--91816292-3686-4a6e-83c4-4c08513b9b57", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1191", "external_id": "T1191"}, {"source_name": "MSitPros CMSTP Aug 2017", "description": "Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April 11, 2018.", "url": "https://msitpros.com/?p=3960"}], "modified": "2019-07-24T18:04:13.126Z", "name": "CMSTP Mitigation", "description": "CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation). Consider using application whitelisting configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries. (Citation: MSitPros CMSTP Aug 2017)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--92c28497-2820-445e-9f3e-a03dd77dc0c8", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1041", "external_id": "T1041"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-24T19:19:30.892Z", "name": "Exfiltration Over Command and Control Channel Mitigation", "description": "Mitigations for command and control apply. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--92e6d080-ca3f-4f95-bc45-172a32c4e502", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1068", "external_id": "T1068"}, {"source_name": "Ars Technica Pwn2Own 2017 VM Escape", "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"}, {"source_name": "TechNet Moving Beyond EMET", "description": "Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.", "url": "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/"}, {"source_name": "Wikipedia Control Flow Integrity", "description": "Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.", "url": "https://en.wikipedia.org/wiki/Control-flow_integrity"}], "modified": "2019-07-24T19:26:18.998Z", "name": "Exploitation for Privilege Escalation Mitigation", "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--9378f139-10ef-4e4b-b679-2255a0818902", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1058", "url": "https://attack.mitre.org/mitigations/T1058", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}], "modified": "2020-01-17T16:45:24.258Z", "name": "Service Registry Permissions Weakness Mitigation", "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.\n\nIdentify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", "type": "course-of-action", "created": "2019-06-06T16:50:58.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1018", "url": "https://attack.mitre.org/mitigations/M1018"}], "modified": "2020-05-20T13:49:12.270Z", "name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--943d370b-2054-44df-8be2-ab4139bde1c5", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1131", "external_id": "T1131"}, {"source_name": "Graeber 2014", "description": "Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.", "url": "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html"}, {"source_name": "Microsoft Configure LSA", "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.", "url": "https://technet.microsoft.com/en-us/library/dn408187.aspx"}], "modified": "2019-07-24T14:34:11.298Z", "name": "Authentication Package Mitigation", "description": "Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL
, which requires all DLLs loaded by LSA to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--94927849-03e3-4a07-8f4c-9ee21b626719", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1165", "external_id": "T1165"}], "modified": "2019-07-25T12:01:55.766Z", "name": "Startup Items Mitigation", "description": "Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems
directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can\u2019t be leveraged for privilege escalation.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--94e95eeb-7cdb-4bd7-afba-f32fda303dbb", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1126", "url": "https://attack.mitre.org/mitigations/T1126", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.119Z", "name": "Network Share Connection Removal Mitigation", "description": "Follow best practices for mitigation of activity related to establishing [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). \n\nIdentify unnecessary system utilities or potentially malicious software that may be used to leverage network shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--94f6b4f5-b528-4f50-91d5-f66457c2f8f7", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1185", "external_id": "T1185"}], "modified": "2019-07-25T11:12:34.303Z", "name": "Man in the Browser Mitigation", "description": "Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) opportunities can limit the exposure to this technique. \n\nClose all browser sessions regularly and when they are no longer needed.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--95c29444-49f9-49f7-8b20-bcd68d8fcaa6", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1182", "url": "https://attack.mitre.org/mitigations/T1182", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}], "modified": "2020-01-17T16:45:23.701Z", "name": "AppCert DLLs Mitigation", "description": "Identify and block potentially malicious software that may be executed through AppCert DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1014", "url": "https://attack.mitre.org/mitigations/T1014", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:18.627Z", "name": "Rootkit Mitigation", "description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--96150c35-466f-4f0a-97a9-ae87ee27f751", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1067", "external_id": "T1067"}, {"url": "http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf", "description": "Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016.", "source_name": "TCG Trusted Platform Module"}, {"url": "https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process", "description": "Microsoft. (n.d.). Secure the Windows 10 boot process. Retrieved April 23, 2020.", "source_name": "TechNet Secure Boot Process"}], "modified": "2020-04-23T19:10:28.284Z", "name": "Bootkit Mitigation", "description": "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform this action. Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--96913243-2b5e-4483-a65c-bb152ddd2f04", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1038", "url": "https://attack.mitre.org/mitigations/T1038", "source_name": "mitre-attack"}, {"url": "http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx", "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", "source_name": "Microsoft DLL Preloading"}, {"url": "http://msdn.microsoft.com/en-US/library/ms682586", "description": "Microsoft. (n.d.). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", "source_name": "Microsoft DLL Search"}, {"url": "https://github.com/mattifestation/PowerSploit", "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", "source_name": "Powersploit"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}], "modified": "2021-08-23T20:25:18.194Z", "name": "DLL Search Order Hijacking Mitigation", "description": "Disallow loading of remote DLLs. (Citation: Microsoft DLL Preloading) This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. (Citation: Microsoft DLL Search) Path Algorithm\n\nEnable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%
)to be used before local directory DLLs (e.g. a user's home directory). The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SafeDLLSearchMode
(Citation: Microsoft DLL Search)\n\nUse auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses. (Citation: Powersploit)\n\nIdentify and block potentially malicious software that may be executed through search order hijacking by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--97d8eadb-0459-4c1d-bf1a-e053bd75df61", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1195", "external_id": "T1195"}, {"source_name": "MITRE SE Guide 2014", "description": "The MITRE Corporation. (2014). MITRE Systems Engineering Guide. Retrieved April 6, 2018.", "url": "https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf"}, {"source_name": "NIST Supply Chain 2012", "description": "Boyens, J,. Et al.. (2002, October). Notional Supply Chain Risk Management Practices for Federal Information Systems. Retrieved April 6, 2018.", "url": "http://dx.doi.org/10.6028/NIST.IR.7622"}, {"description": "OWASP. (2017, April 16). OWASP Top 10 2017 - The Ten Most Critical Web Application Security Risks. Retrieved February 12, 2019.", "url": "https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/", "source_name": "OWASP Top 10 2017"}], "modified": "2020-07-14T22:23:56.006Z", "name": "Supply Chain Compromise Mitigation", "description": "Apply supply chain risk management (SCRM) practices and procedures (Citation: MITRE SE Guide 2014), such as supply chain analysis and appropriate risk management, throughout the life-cycle of a system.\n\nLeverage established software development lifecycle (SDLC) practices (Citation: NIST Supply Chain 2012): \n\n* Uniquely Identify Supply Chain Elements, Processes, and Actors\n* Limit Access and Exposure within the Supply Chain\n* Establish and Maintain the Provenance of Elements, Processes, Tools, and Data\n* Share Information within Strict Limits\n* Perform SCRM Awareness and Training\n* Use Defensive Design for Systems, Elements, and Processes\n* Perform Continuous Integrator Review\n* Strengthen Delivery Mechanisms\n* Assure Sustainment Activities and Processes\n* Manage Disposal and Final Disposition Activities throughout the System or Element Life Cycle\n\nA patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. (Citation: OWASP Top 10 2017)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448", "type": "course-of-action", "created": "2019-06-06T20:54:49.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1022", "url": "https://attack.mitre.org/mitigations/M1022"}], "modified": "2020-05-20T15:12:39.136Z", "name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--9a5b7194-88e0-4579-b82f-e3c27b8cca80", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1136", "external_id": "T1136"}], "modified": "2019-07-24T18:11:24.572Z", "name": "Create Account Mitigation", "description": "Use and enforce multifactor authentication. Follow guidelines to prevent or limit adversary access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) that may be used to create privileged accounts within an environment.\n\nAdversaries that create local accounts on systems may have limited access within a network if access levels are properly locked down. These accounts may only be needed for persistence on individual systems and their usefulness depends on the utility of the system they reside on.\n\nProtect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--9a902722-cecd-4fbe-a6c9-49333aa0f8c2", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1018", "url": "https://attack.mitre.org/mitigations/T1018", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.921Z", "name": "Remote System Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1037", "url": "https://attack.mitre.org/mitigations/T1037", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}], "modified": "2020-01-17T16:45:23.905Z", "name": "Logon Scripts Mitigation", "description": "Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating Credential Access techniques and limiting account access and permissions of [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nIdentify and block potentially malicious software that may be executed through logon script modification by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", "type": "course-of-action", "created": "2019-06-06T21:09:47.115Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1026", "url": "https://attack.mitre.org/mitigations/M1026"}], "modified": "2020-03-31T13:08:36.655Z", "name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--9da16278-c6c5-4410-8a6b-9c16ce8005b3", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1180", "external_id": "T1180"}, {"url": "https://technet.microsoft.com/library/cc938799.aspx", "description": "Microsoft. (n.d.). Customizing the Desktop. Retrieved December 5, 2017.", "source_name": "TechNet Screensaver GP"}], "modified": "2019-07-25T11:40:31.541Z", "name": "Screensaver Mitigation", "description": "Block .scr files from being executed from non-standard locations. Set Group Policy to force users to have a dedicated screensaver where local changes should not override the settings to prevent changes. Use Group Policy to disable screensavers if they are unnecessary. (Citation: TechNet Screensaver GP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--9e57c770-5a39-49a2-bb91-253ba629e3ac", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1101", "external_id": "T1101"}, {"source_name": "Graeber 2014", "description": "Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.", "url": "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html"}, {"source_name": "Microsoft Configure LSA", "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.", "url": "https://technet.microsoft.com/en-us/library/dn408187.aspx"}], "modified": "2019-07-25T11:41:39.946Z", "name": "Security Support Provider Mitigation", "description": "Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL
, which requires all SSP DLLs to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--a0d8db1d-a731-4428-8209-c07175f4b1fe", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1065", "external_id": "T1065"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-25T12:31:21.118Z", "name": "Uncommonly Used Port Mitigation", "description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports. \n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--a13e35cc-8c90-4d77-a965-5461042c1612", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1023", "url": "https://attack.mitre.org/mitigations/T1023", "source_name": "mitre-attack"}, {"source_name": "UCF STIG Symbolic Links", "description": "UCF. (n.d.). Unauthorized accounts must not have the Create symbolic links user right.. Retrieved December 18, 2017.", "url": "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.907Z", "name": "Shortcut Modification Mitigation", "description": "Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. (Citation: UCF STIG Symbolic Links)\n\nIdentify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--a1482e43-f3ff-4fbd-94de-ad1244738166", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1209", "url": "https://attack.mitre.org/mitigations/T1209", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"url": "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings", "description": "Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.", "source_name": "Microsoft W32Time May 2017"}], "modified": "2020-01-17T16:45:23.703Z", "name": "Time Providers Mitigation", "description": "Identify and block potentially malicious software that may be executed as a time provider by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.\n\nConsider using Group Policy to configure and block subsequent modifications to W32Time parameters. (Citation: Microsoft W32Time May 2017)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-31T17:12:06.164Z", "name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--a2c36a5d-4058-475e-8e77-fff75e50d3b9", "created": "2019-06-06T20:58:59.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1024", "external_id": "M1024"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--a3e12b04-8598-4909-8855-2c97c1e7d549", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1208", "external_id": "T1208"}, {"source_name": "AdSecurity Cracking Kerberos Dec 2015", "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.", "url": "https://adsecurity.org/?p=2293"}], "modified": "2019-07-24T19:44:28.440Z", "name": "Kerberoasting Mitigation", "description": "Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. (Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting. (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nLimit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nEnable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. (Citation: AdSecurity Cracking Kerberos Dec 2015)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--a569295c-a093-4db4-9fb4-7105edef85ad", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1024", "external_id": "T1024"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-24T18:14:14.227Z", "name": "Custom Cryptographic Protocol Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Since the custom protocol used may not adhere to typical protocol standards, there may be opportunities to signature the traffic on a network level for detection. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9", "type": "course-of-action", "created": "2019-06-11T17:08:33.055Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1049", "url": "https://attack.mitre.org/mitigations/M1049"}], "modified": "2020-03-31T13:07:15.684Z", "name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--a766ce73-5583-48f3-b7c0-0bb43c6ef8c7", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1032", "external_id": "T1032"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-25T12:01:13.198Z", "name": "Standard Cryptographic Protocol Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--a90da496-b460-47e8-92e7-cc36eb00bd9a", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1121", "url": "https://attack.mitre.org/mitigations/T1121", "source_name": "mitre-attack"}], "modified": "2019-07-25T11:31:59.090Z", "name": "Regsvcs/Regasm Mitigation", "description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1011", "external_id": "T1011"}, {"url": "https://technet.microsoft.com/library/dd252791.aspx", "description": "Microsoft. (2009, February 9). Disabling Bluetooth and Infrared Beaming. Retrieved July 26, 2018.", "source_name": "Microsoft GPO Bluetooth FEB 2009"}, {"url": "https://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/", "description": "Schauland, D. (2009, February 24). Configuring Wireless settings via Group Policy. Retrieved July 26, 2018.", "source_name": "TechRepublic Wireless GPO FEB 2009"}], "modified": "2019-07-24T19:20:18.344Z", "name": "Exfiltration Over Other Network Medium Mitigation", "description": "Ensure host-based sensors maintain visibility into usage of all network adapters and prevent the creation of new ones where possible. (Citation: Microsoft GPO Bluetooth FEB 2009) (Citation: TechRepublic Wireless GPO FEB 2009)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--aaa92b37-f96c-4a0a-859c-b1cb6faeb13d", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1061", "url": "https://attack.mitre.org/mitigations/T1061", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:19.202Z", "name": "Graphical User Interface Mitigation", "description": "Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.\n\nIdentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) and Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--ac008435-af58-4f77-988a-c9b96c5920f5", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1096", "url": "https://attack.mitre.org/mitigations/T1096", "source_name": "mitre-attack"}, {"url": "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", "description": "Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.", "source_name": "Microsoft ADS Mar 2014"}, {"source_name": "Symantec ADS May 2009", "description": "Pravs. (2009, May 25). What you need to know about alternate data streams in windows? Is your Data secure? Can you restore that?. Retrieved March 21, 2018.", "url": "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}, {"source_name": "InsiderThreat NTFS EA Oct 2017", "description": "Sander, J. (2017, October 12). Attack Step 3: Persistence with NTFS Extended Attributes \u2013 File System Attacks. Retrieved March 21, 2018.", "url": "https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks"}], "modified": "2021-08-23T20:25:21.492Z", "name": "NTFS File Attributes Mitigation", "description": "It may be difficult or inadvisable to block access to EA and ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Symantec ADS May 2009) Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA and ADSs by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nConsider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. (Citation: InsiderThreat NTFS EA Oct 2017)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--ace4daee-f914-4707-be75-843f16da2edf", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1139", "external_id": "T1139"}], "modified": "2019-07-24T14:37:14.608Z", "name": "Bash History Mitigation", "description": "There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:\nset +o history
and set -o history
to start logging again;\nunset HISTFILE
being added to a user's .bash_rc file; and\nln -s /dev/null ~/.bash_history
to write commands to /dev/null
instead.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--ad7f983d-d5a8-4fce-a38c-b68eda61bf4e", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1192", "external_id": "T1192"}], "modified": "2019-07-25T11:59:46.032Z", "name": "Spearphishing Link Mitigation", "description": "Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Other mitigations can take place as [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--ae56a49d-5281-45c5-ab95-70a1439c338e", "type": "course-of-action", "created": "2019-04-25T20:53:07.814Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"url": "https://attack.mitre.org/mitigations/T1500", "source_name": "mitre-attack", "external_id": "T1500"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:22.015Z", "name": "Compile After Delivery Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--aeff5887-8f9e-48d5-a523-9b395e2ce80a", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1003", "url": "https://attack.mitre.org/mitigations/T1003", "source_name": "mitre-attack"}, {"url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach", "description": "Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.", "source_name": "Microsoft Securing Privileged Access"}, {"source_name": "Microsoft LSA", "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.", "url": "https://technet.microsoft.com/en-us/library/dn408187.aspx"}, {"url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "source_name": "Beechey 2010"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "source_name": "Corio 2008"}, {"url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "source_name": "TechNet Applocker vs SRP"}, {"source_name": "TechNet Credential Guard", "description": "Lich, B. (2016, May 31). Protect derived domain credentials with Credential Guard. Retrieved June 1, 2016.", "url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard"}, {"source_name": "GitHub SHB Credential Guard", "description": "NSA IAD. (2017, April 20). Secure Host Baseline - Credential Guard. Retrieved April 25, 2017.", "url": "https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard"}, {"url": "https://adsecurity.org/?p=1729", "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.", "source_name": "AdSecurity DCSync Sept 2015"}, {"source_name": "Microsoft Replication ACL", "description": "Microsoft. (n.d.). How to grant the \"Replicating Directory Changes\" permission for the Microsoft Metadirectory Services ADMA service account. Retrieved December 4, 2017.", "url": "https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr"}, {"source_name": "Microsoft Disable NTLM Nov 2012", "description": "Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017.", "url": "https://technet.microsoft.com/library/jj865668.aspx"}], "modified": "2021-08-23T20:25:19.916Z", "name": "Credential Dumping Mitigation", "description": "### Windows\nMonitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using [Valid Accounts](https://attack.mitre.org/techniques/T1078) if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)\n\nOn Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)\n\nManage the access control list for \u201cReplicating Directory Changes\u201d and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)\n\nConsider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)\n\n### Linux\nScraping the passwords from memory requires root privileges. Follow best practices in restricting access to escalated privileges to avoid hostile programs from accessing such sensitive regions of memory.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--af093bc8-7b59-4e2a-9da8-8e839b4c50c6", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1219", "external_id": "T1219"}], "modified": "2019-07-25T11:32:44.821Z", "name": "Remote Access Tools Mitigation", "description": "Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access tools.\n\nNetwork intrusion detection and prevention systems that use network signatures may be able to prevent traffic to these services as well.\n\nUse application whitelisting to mitigate use of and installation of unapproved software.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-21T15:52:06.295Z", "name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "type": "course-of-action", "id": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", "created": "2019-06-10T20:53:36.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1032", "external_id": "M1032"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1176", "external_id": "T1176"}, {"source_name": "Technospot Chrome Extensions GP", "description": "Mohta, A. (n.d.). Block Chrome Extensions using Google Chrome Group Policy Settings. Retrieved January 10, 2018.", "url": "http://www.technospot.net/blogs/block-chrome-extensions-using-google-chrome-group-policy-settings/"}], "modified": "2019-07-24T14:41:17.903Z", "name": "Browser Extensions Mitigation", "description": "Only install browser extensions from trusted sources that can be verified. Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.\n\nBrowser extensions for some browsers can be controlled through Group Policy. Set a browser extension white or black list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP)\n\nChange settings to prevent the browser from installing extensions without sufficient permissions.\n\nClose out all browser sessions when finished using them.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-12-26T19:17:13.293Z", "name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "type": "course-of-action", "id": "course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067", "created": "2019-07-19T14:40:23.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1054", "external_id": "M1054"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--b70627f7-3b43-4c6f-8fc0-c918c41f8f72", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1207", "external_id": "T1207"}], "modified": "2019-07-24T14:23:59.683Z", "name": "DCShadow Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of AD design features. For example, mitigating specific AD API calls will likely have unintended side effects, such as preventing DC replication from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--b7b2c89c-09c1-4b71-ae7c-000ec2893aab", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1050", "url": "https://attack.mitre.org/mitigations/T1050", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.647Z", "name": "New Service Mitigation", "description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services.\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--b8d57b16-d8e2-428c-a645-1083795b3445", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1092", "external_id": "T1092"}, {"url": "https://support.microsoft.com/en-us/kb/967715", "description": "Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.", "source_name": "Microsoft Disable Autorun"}, {"url": "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx", "description": "Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.", "source_name": "TechNet Removable Media Control"}], "modified": "2019-07-24T18:09:33.072Z", "name": "Communication Through Removable Media Mitigation", "description": "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1178", "external_id": "T1178"}, {"url": "https://technet.microsoft.com/library/cc755321.aspx", "description": "Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017.", "source_name": "Microsoft Trust Considerations Nov 2014"}, {"url": "https://technet.microsoft.com/library/cc794757.aspx", "description": "Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017.", "source_name": "Microsoft SID Filtering Quarantining Jan 2009"}, {"url": "https://technet.microsoft.com/library/cc835085.aspx", "description": "Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017.", "source_name": "Microsoft Netdom Trust Sept 2012"}, {"url": "https://adsecurity.org/?p=1640", "description": "Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.", "source_name": "AdSecurity Kerberos GT Aug 2015"}], "modified": "2019-07-25T11:37:35.427Z", "name": "SID-History Injection Mitigation", "description": "Clean up SID-History attributes after legitimate account migration is complete.\n\nConsider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e. preventing the trusted domain from claiming a user has membership in groups outside of the domain).\n\nSID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers. (Citation: Microsoft Trust Considerations Nov 2014) (Citation: Microsoft SID Filtering Quarantining Jan 2009) However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources.\n\nSID Filtering can be applied by: (Citation: Microsoft Netdom Trust Sept 2012)\n\n* Disabling SIDHistory on forest trusts using the netdom tool (netdom trust /domain: /EnableSIDHistory:no
on the domain controller). \n* Applying SID Filter Quarantining to external trusts using the netdom tool (netdom trust /domain: /quarantine:yes
on the domain controller)\nApplying SID Filtering to domain trusts within a single forest is not recommended as it is an unsupported configuration and can cause breaking changes. (Citation: Microsoft Netdom Trust Sept 2012) (Citation: AdSecurity Kerberos GT Aug 2015) If a domain within a forest is untrustworthy then it should not be a member of the forest. In this situation it is necessary to first split the trusted and untrusted domains into separate forests where SID Filtering can be applied to an interforest trust.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--b9f0c069-abbe-4a07-a245-2481219a1463", "type": "course-of-action", "created": "2019-06-11T17:06:56.230Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1048", "url": "https://attack.mitre.org/mitigations/M1048"}], "modified": "2020-03-31T13:08:03.851Z", "name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--ba06d68a-4891-4eb5-b634-152e05ec60ee", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1030", "external_id": "T1030"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-24T19:05:56.488Z", "name": "Data Transfer Size Limits Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--bb25b897-bfc7-4128-839d-52e9764dbfa6", "type": "course-of-action", "created": "2019-04-22T13:54:51.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"url": "https://attack.mitre.org/mitigations/T1490", "source_name": "mitre-attack", "external_id": "T1490"}, {"source_name": "Ready.gov IT DRP", "url": "https://www.ready.gov/business/implementation/IT", "description": "Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019."}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.917Z", "name": "Inhibit System Recovery Mitigation", "description": "Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--bcc91b8c-f104-4710-964e-1d5409666736", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1100", "external_id": "T1100"}, {"source_name": "US-CERT Alert TA15-314A Web Shells", "description": "US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.", "url": "https://www.us-cert.gov/ncas/alerts/TA15-314A"}], "modified": "2019-07-25T12:34:23.847Z", "name": "Web Shell Mitigation", "description": "Ensure that externally facing Web servers are patched regularly to prevent adversary access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages. \n\nAudit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--bcee7b05-89a6-41a5-b7aa-fce4da7ede9e", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1075", "url": "https://attack.mitre.org/mitigations/T1075", "source_name": "mitre-attack"}, {"url": "https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml", "source_name": "GitHub IAD Secure Host Baseline UAC Filtering", "description": "NSA IAD. (2017, January 24). MS Security Guide. Retrieved December 18, 2017."}], "modified": "2019-07-25T11:21:20.411Z", "name": "Pass the Hash Mitigation", "description": "Monitor systems and domain logs for unusual credential logon activity. Prevent access to [Valid Accounts](https://attack.mitre.org/techniques/T1078). Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group. \n\nEnable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy
Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons. (Citation: GitHub IAD Secure Host Baseline UAC Filtering)\n\nLimit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems. Ensure that built-in and created local administrator accounts have complex, unique passwords. Do not allow a domain user to be in the local administrator group on multiple systems.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--bd2554b8-634f-4434-a986-9b49c29da2ae", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1063", "url": "https://attack.mitre.org/mitigations/T1063", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:18.624Z", "name": "Security Software Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--beb45abb-11e8-4aef-9778-1f9ac249784f", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1088", "external_id": "T1088"}, {"source_name": "Github UACMe", "description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.", "url": "https://github.com/hfiref0x/UACME"}], "modified": "2019-07-24T14:13:23.637Z", "name": "Bypass User Account Control Mitigation", "description": "Remove users from the local administrator group on systems. Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). \n\nCheck for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate. (Citation: Github UACMe)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c085476e-1964-4d7f-86e1-d8657a7741e8", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1015", "url": "https://attack.mitre.org/mitigations/T1015", "source_name": "mitre-attack"}, {"source_name": "TechNet RDP NLA", "description": "Microsoft. (n.d.). Configure Network Level Authentication for Remote Desktop Services Connections. Retrieved June 6, 2016.", "url": "https://technet.microsoft.com/en-us/library/cc732713.aspx"}, {"source_name": "TechNet RDP Gateway", "description": "Microsoft. (n.d.). Overview of Remote Desktop Gateway. Retrieved June 6, 2016.", "url": "https://technet.microsoft.com/en-us/library/cc731150.aspx"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:19.735Z", "name": "Accessibility Features Mitigation", "description": "To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later. (Citation: TechNet RDP NLA)\n\nIf possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network. (Citation: TechNet RDP Gateway)\n\nIdentify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c1676218-c16a-41c9-8f7a-023779916e39", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1049", "url": "https://attack.mitre.org/mitigations/T1049", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:18.609Z", "name": "System Network Connections Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c3cf2312-3aab-4aaf-86e6-ab3505430482", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1163", "external_id": "T1163"}], "modified": "2019-07-25T11:29:48.385Z", "name": "Rc.common Mitigation", "description": "Limit privileges of user accounts so only authorized users can edit the rc.common file.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c47a9b55-8f61-4b82-b833-1db6242c754e", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1168", "external_id": "T1168"}], "modified": "2019-08-17T12:10:09.748Z", "name": "Local Job Scheduling Mitigation", "description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs. Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule jobs using whitelisting tools.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c61e2da1-f51f-424c-b152-dc930d4f2e70", "type": "course-of-action", "created": "2019-02-01T14:35:39.565Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1480", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1480"}], "modified": "2019-07-24T19:17:09.258Z", "name": "Environmental Keying Mitigation", "description": "This technique likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c61fee9f-16fb-4f8c-bbf0-869093fcd4a6", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1134", "external_id": "T1134"}, {"source_name": "Microsoft Create Token", "description": "Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017.", "url": "https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object"}, {"source_name": "Microsoft Replace Process Token", "description": "Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017.", "url": "https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token"}], "modified": "2019-07-24T14:29:27.367Z", "name": "Access Token Manipulation Mitigation", "description": "Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to do their job.\n\nAny user can also spoof access tokens if they have legitimate credentials. Follow mitigation guidelines for preventing adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. (Citation: Microsoft Replace Process Token)\n\nAlso limit opportunities for adversaries to increase privileges by limiting Privilege Escalation opportunities.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c620e3a1-fff5-424f-abea-d2b0f3616f67", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1082", "url": "https://attack.mitre.org/mitigations/T1082", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:24.235Z", "name": "System Information Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c7e49501-6021-414f-bfa1-94519d8ec314", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1221", "external_id": "T1221"}, {"url": "https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6", "description": "Microsoft. (n.d.). Enable or disable macros in Office files. Retrieved September 13, 2018.", "source_name": "Microsoft Disable Macros"}, {"source_name": "Anomali Template Injection MAR 2018", "description": "Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.", "url": "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104"}], "modified": "2019-07-25T12:27:19.577Z", "name": "Template Injection Mitigation", "description": "Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents (Citation: Microsoft Disable Macros), though this setting may not mitigate the [Forced Authentication](https://attack.mitre.org/techniques/T1187) use for this technique.\n\nBecause this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations including training users to identify social engineering techniques and spearphishing emails. Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads. (Citation: Anomali Template Injection MAR 2018)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c861bcb1-946f-450d-ab75-d4e3c1103a56", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1194", "external_id": "T1194"}], "modified": "2019-07-25T12:00:12.285Z", "name": "Spearphishing via Service Mitigation", "description": "Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n\nBecause this technique involves use of legitimate services and user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. To prevent the downloads from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c88151a5-fe3f-4773-8147-d801587065a4", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1017", "external_id": "T1017"}], "modified": "2019-07-24T14:05:33.227Z", "name": "Application Deployment Software Mitigation", "description": "Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--c95c8b5c-b431-43c9-9557-f494805e2502", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1045", "url": "https://attack.mitre.org/mitigations/T1045", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:24.233Z", "name": "Software Packing Mitigation", "description": "Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.\n\nIdentify and prevent execution of potentially malicious software that may have been packed by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--cb825b86-3f3b-4686-ba99-44878f5d3173", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1197", "external_id": "T1197"}, {"source_name": "Mondok Windows PiggyBack BITS May 2007", "description": "Mondok, M. (2007, May 11). Malware piggybacks on Windows\u2019 Background Intelligent Transfer Service. Retrieved January 12, 2018.", "url": "https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/"}, {"source_name": "Symantec BITS May 2007", "description": "Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.", "url": "https://www.symantec.com/connect/blogs/malware-update-windows-update"}, {"source_name": "Microsoft BITS", "description": "Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.", "url": "https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx"}], "modified": "2019-07-24T14:08:16.317Z", "name": "BITS Jobs Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, disabling all BITS functionality will likely have unintended side effects, such as preventing legitimate software patching and updating. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: Mondok Windows PiggyBack BITS May 2007)\n\nModify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.\n\nConsider limiting access to the BITS interface to specific users or groups. (Citation: Symantec BITS May 2007)\n\nConsider reducing the default BITS job lifetime in Group Policy or by editing the JobInactivityTimeout
and MaxDownloadTime
Registry values in HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\BITS
. (Citation: Microsoft BITS)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--cba5667e-e3c6-44a4-811c-266dbc00e440", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1181", "url": "https://attack.mitre.org/mitigations/T1181", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:19.367Z", "name": "Extra Window Memory Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough EWM injection may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-31T14:50:47.704Z", "name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "type": "course-of-action", "id": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", "created": "2019-06-11T17:06:14.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1047", "external_id": "M1047"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--cdecc44a-1dbf-4c1f-881c-f21e3f47272a", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1105", "external_id": "T1105"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-25T11:33:35.477Z", "name": "Remote File Copy Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--cfc2d2fc-14ff-495f-bd99-585be47b804f", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1138", "external_id": "T1138"}], "modified": "2019-07-24T14:32:52.325Z", "name": "Application Shimming Mitigation", "description": "There currently aren't a lot of ways to mitigate application shimming. Disabling the Shim Engine isn't recommended because Windows depends on shimming for interoperability and software may become unstable or not work. Microsoft released an optional patch update - KB3045645 - that will remove the \"auto-elevate\" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. \n\nChanging UAC settings to \"Always Notify\" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1129", "external_id": "T1129"}], "modified": "2019-07-24T19:18:25.859Z", "name": "Execution through Module Load Mitigation", "description": "Directly mitigating module loads and API calls related to module loads will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying and correlated subsequent behavior to determine if it is the result of malicious activity.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d01f473f-3cdc-4867-9e55-1de9cf1986f0", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1140", "url": "https://attack.mitre.org/mitigations/T1140", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.686Z", "name": "Deobfuscate/Decode Files or Information Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d0415180-51e9-40ce-b57c-c332b0b441f2", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1086", "external_id": "T1086"}, {"url": "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/", "description": "Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved July 23, 2015.", "source_name": "Netspi PowerShell Execution Policy Bypass"}], "modified": "2019-07-25T11:26:37.066Z", "name": "PowerShell Mitigation", "description": "It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. (Citation: Netspi PowerShell Execution Policy Bypass) Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1001", "external_id": "T1001"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-24T14:28:48.363Z", "name": "Data Obfuscation Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d256cb63-b021-4b4a-bb6d-1b42eea179a3", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1046", "url": "https://attack.mitre.org/mitigations/T1046", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:19.750Z", "name": "Network Service Scanning Mitigation", "description": "Use network intrusion detection/prevention systems to detect and prevent remote service scans. Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about services running on remote systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d2a24649-9694-4c97-9c62-ce7b270bf6a3", "type": "course-of-action", "created": "2019-06-11T17:10:57.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1050", "url": "https://attack.mitre.org/mitigations/M1050"}], "modified": "2020-06-20T20:22:55.938Z", "name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d2dce10b-3562-4d61-b2f5-7c6384b038e2", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1170", "url": "https://attack.mitre.org/mitigations/T1170", "source_name": "mitre-attack"}], "modified": "2019-07-25T11:14:01.112Z", "name": "Mshta Mitigation", "description": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d45f03a8-790a-4f90-b956-cd7e5b8886bf", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1078", "external_id": "T1078"}, {"source_name": "Microsoft Securing Privileged Access", "description": "Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.", "url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach"}, {"source_name": "TechNet Credential Theft", "description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.", "url": "https://technet.microsoft.com/en-us/library/dn535501.aspx"}, {"source_name": "TechNet Least Privilege", "description": "Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016.", "url": "https://technet.microsoft.com/en-us/library/dn487450.aspx"}, {"description": "US-CERT. (n.d.). Risks of Default Passwords on the Internet. Retrieved April 12, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA13-175A", "source_name": "US-CERT Alert TA13-175A Risks of Default Passwords on the Internet"}], "modified": "2021-04-05T19:21:28.924Z", "name": "Valid Accounts Mitigation", "description": "Take measures to detect or prevent techniques such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or installation of keyloggers to acquire credentials through [Input Capture](https://attack.mitre.org/techniques/T1056). Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. \n\nFollow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access) \n\nAudit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. \n\nApplications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured. ", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1133", "external_id": "T1133"}], "modified": "2019-07-24T19:27:15.659Z", "name": "External Remote Services Mitigation", "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028). Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d5dce4b9-f1fa-4c03-aff9-ce177246cb64", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1035", "url": "https://attack.mitre.org/mitigations/T1035", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:24.245Z", "name": "Service Execution Mitigation", "description": "Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. Also ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to interact with Windows services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d7c49196-b40e-42bc-8eed-b803113692ed", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1042", "url": "https://attack.mitre.org/mitigations/T1042", "source_name": "mitre-attack"}, {"source_name": "MSDN File Associations", "description": "Microsoft. (n.d.). Retrieved July 26, 2016.", "url": "https://msdn.microsoft.com/en-us/library/cc144156.aspx"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.675Z", "name": "Change Default File Association Mitigation", "description": "Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations. (Citation: MSDN File Associations)\n\nIdentify and block potentially malicious software that may be executed by this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d8787791-d22e-45bb-a9a8-251d8d0a1ff2", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1007", "url": "https://attack.mitre.org/mitigations/T1007", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.699Z", "name": "System Service Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1039", "url": "https://attack.mitre.org/mitigations/T1039", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.087Z", "name": "Data from Network Shared Drive Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1125", "url": "https://attack.mitre.org/mitigations/T1125", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:20.925Z", "name": "Video Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to capture video and images by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--da987565-27b6-4b31-bbcd-74b909847116", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1026", "external_id": "T1026"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-25T11:15:17.942Z", "name": "Multiband Communication Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--dbf0186e-722d-4a0a-af6a-b3460f162f84", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1206", "external_id": "T1206"}], "modified": "2019-07-25T12:02:48.931Z", "name": "Sudo Caching Mitigation", "description": "Setting the timestamp_timeout
to 0 will require the user to input their password every time sudo
is executed. Similarly, ensuring that the tty_tickets
setting is enabled will prevent this leakage across tty sessions.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--dc43c2fe-355e-4a79-9570-3267b0992784", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1157", "external_id": "T1157"}], "modified": "2019-07-24T19:15:00.897Z", "name": "Dylib Hijacking Mitigation", "description": "Prevent users from being able to write files to the search paths for applications, both in the folders where applications are run from and the standard dylib folders. If users can't write to these directories, then they can't intercept the search path.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--dd9a85ad-6a92-4986-a215-b01d0ce7b987", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1069", "url": "https://attack.mitre.org/mitigations/T1069", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.874Z", "name": "Permission Groups Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--e0703d4f-3972-424a-8277-84004817e024", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1034", "url": "https://attack.mitre.org/mitigations/T1034", "source_name": "mitre-attack"}, {"url": "http://msdn.microsoft.com/en-us/library/ms682425", "description": "Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.", "source_name": "Microsoft CreateProcess"}, {"source_name": "MSDN DLL Security", "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", "url": "https://msdn.microsoft.com/en-us/library/ff919712.aspx"}, {"source_name": "Kanthak Sentinel", "description": "Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", "url": "https://skanthak.homepage.t-online.de/sentinel.html"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}], "modified": "2021-08-23T20:25:19.363Z", "name": "Path Interception Mitigation", "description": "Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them (Citation: Microsoft CreateProcess). Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate (Citation: MSDN DLL Security). Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.\n\nPeriodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations (Citation: Kanthak Sentinel). \n\nRequire that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C:
and system directories, such as C:\\Windows\\
, to reduce places where malicious files could be placed for execution.\n\nIdentify and block potentially malicious software that may be executed through the path interception by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies, (Citation: Corio 2008) that are capable of auditing and/or blocking unknown executables.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1152", "external_id": "T1152"}], "modified": "2019-07-24T19:48:43.583Z", "name": "Launchctl Mitigation", "description": "Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--e3388c78-2a8d-47c2-8422-c1398b324462", "type": "course-of-action", "created": "2019-06-06T16:39:58.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1015", "url": "https://attack.mitre.org/mitigations/M1015"}], "modified": "2020-05-29T16:34:40.344Z", "name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--e547ed6a-f1ca-40df-8613-2ce27927f145", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1052", "external_id": "T1052"}, {"url": "https://support.microsoft.com/en-us/kb/967715", "description": "Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.", "source_name": "Microsoft Disable Autorun"}, {"url": "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx", "description": "Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.", "source_name": "TechNet Removable Media Control"}], "modified": "2019-07-24T19:20:50.299Z", "name": "Exfiltration Over Physical Medium Mitigation", "description": "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b", "type": "course-of-action", "created": "2019-06-11T17:12:55.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1051", "url": "https://attack.mitre.org/mitigations/M1051"}], "modified": "2020-07-07T12:42:39.005Z", "name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--e8242a33-481c-4891-af63-4cf3e4cf6aff", "type": "course-of-action", "created": "2019-06-11T17:00:01.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1044", "url": "https://attack.mitre.org/mitigations/M1044"}], "modified": "2019-06-11T17:00:01.740Z", "name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--e8d22ec6-2236-48de-954b-974d17492782", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1111", "url": "https://attack.mitre.org/mitigations/T1111", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.676Z", "name": "Two-Factor Authentication Interception Mitigation", "description": "Remove smart cards when not in use. Protect devices and services used to transmit and receive out-of-band codes.\n\nIdentify and block potentially malicious software that may be used to intercept 2FA credentials on a system by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--e9362d25-4427-446b-99e8-b8f0c3b86615", "type": "course-of-action", "created": "2019-04-24T17:02:25.107Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1492", "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1492"}, {"description": "Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.", "url": "https://www.ready.gov/business/implementation/IT", "source_name": "Ready.gov IT DRP"}], "modified": "2019-07-25T12:02:27.102Z", "name": "Stored Data Manipulation Mitigation", "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31", "type": "course-of-action", "created": "2019-06-11T16:45:19.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1042", "url": "https://attack.mitre.org/mitigations/M1042"}], "modified": "2020-03-31T13:12:04.776Z", "name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--ec418d1b-4963-439f-b055-f914737ef362", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1118", "external_id": "T1118"}], "modified": "2019-07-24T19:43:58.738Z", "name": "InstallUtil Mitigation", "description": "InstallUtil may not be necessary within a given environment. Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--ec42d8be-f762-4127-80f4-f079ea6d7135", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1054", "external_id": "T1054"}, {"url": "https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal", "description": "Microsoft. (2018, May 30). Event Tracing. Retrieved September 6, 2018.", "source_name": "Microsoft ETW May 2018"}], "modified": "2019-07-24T19:39:30.292Z", "name": "Indicator Blocking Mitigation", "description": "Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--ed202147-4026-4330-b5bd-1e8dfa8cf7cc", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1112", "url": "https://attack.mitre.org/mitigations/T1112", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.884Z", "name": "Modify Registry Mitigation", "description": "Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through [Service Registry Permissions Weakness](https://attack.mitre.org/techniques/T1058). Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--ef273807-c465-4728-9cee-5823422f42ee", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1198", "external_id": "T1198"}, {"source_name": "SpectorOps Subverting Trust Sept 2017", "description": "Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.", "url": "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf"}], "modified": "2019-07-25T11:38:03.304Z", "name": "SIP and Trust Provider Hijacking Mitigation", "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Also ensure that these values contain their full path to prevent [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nConsider removing unnecessary and/or stale SIPs. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nRestrict storage and execution of SIP DLLs to protected directories, such as C:\\Windows, rather than user directories.\n\nEnable whitelisting solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1091", "url": "https://attack.mitre.org/mitigations/T1091", "source_name": "mitre-attack"}, {"source_name": "Microsoft Disable Autorun", "description": "Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.", "url": "https://support.microsoft.com/en-us/kb/967715"}, {"source_name": "TechNet Removable Media Control", "description": "Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.", "url": "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.877Z", "name": "Replication Through Removable Media Mitigation", "description": "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if it is not required for business operations. (Citation: TechNet Removable Media Control)\n\nIdentify potentially malicious software that may be used to infect removable media or may result from tainted removable media, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--f0a42cad-9b1f-44da-a672-718f18381018", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1080", "external_id": "T1080"}, {"url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "source_name": "Beechey 2010"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "source_name": "Corio 2008"}, {"url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "source_name": "TechNet Applocker vs SRP"}], "modified": "2021-08-23T20:25:21.481Z", "name": "Taint Shared Content Mitigation", "description": "Protect shared folders by minimizing users who have write access. Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).\n\nReduce potential lateral movement risk by using web-based document management and collaboration services that do not use network file and directory sharing.\n\nIdentify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--f27ef4f2-71fe-48b6-b7f4-02dcac14320e", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1145", "external_id": "T1145"}], "modified": "2019-07-25T11:27:03.265Z", "name": "Private Keys Mitigation", "description": "Use strong passphrases for private keys to make cracking difficult. When possible, store keys on separate cryptographic hardware instead of on the local system. Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement. Follow other best practices for mitigating access through use of [Valid Accounts](https://attack.mitre.org/techniques/T1078).", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--f2cb6ce2-188d-4162-8feb-594f949b13dd", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1053", "url": "https://attack.mitre.org/mitigations/T1053", "source_name": "mitre-attack"}, {"url": "https://github.com/mattifestation/PowerSploit", "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", "source_name": "Powersploit"}, {"source_name": "TechNet Server Operator Scheduled Task", "description": "Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017.", "url": "https://technet.microsoft.com/library/jj852168.aspx"}, {"source_name": "TechNet Scheduling Priority", "description": "Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017.", "url": "https://technet.microsoft.com/library/dn221960.aspx"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2021-08-23T20:25:19.375Z", "name": "Scheduled Task Mitigation", "description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)\n\nConfigure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SubmitControl
. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. (Citation: TechNet Server Operator Scheduled Task)\n\nConfigure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--f2dcee22-c275-405e-87fd-48630a19dfba", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1203", "external_id": "T1203"}, {"url": "https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/", "description": "Cowan, C. (2017, March 23). Strengthening the Microsoft Edge Sandbox. Retrieved March 12, 2018.", "source_name": "Windows Blogs Microsoft Edge Sandbox"}, {"url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", "source_name": "Ars Technica Pwn2Own 2017 VM Escape"}, {"url": "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "description": "Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.", "source_name": "TechNet Moving Beyond EMET"}, {"url": "https://en.wikipedia.org/wiki/Control-flow_integrity", "description": "Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.", "source_name": "Wikipedia Control Flow Integrity"}], "modified": "2019-07-24T19:22:39.193Z", "name": "Exploitation for Client Execution Mitigation", "description": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--f3d0c735-330f-43c2-8e8e-51bcfa51e8c3", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1094", "external_id": "T1094"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-24T18:13:22.017Z", "name": "Custom Command and Control Protocol Mitigation", "description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--f6469191-1814-4dbe-a081-2a6daf83a10b", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1057", "url": "https://attack.mitre.org/mitigations/T1057", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.656Z", "name": "Process Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--f6b7c116-0821-4eb7-9b24-62bd09b3e575", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1205", "external_id": "T1205"}], "modified": "2019-07-25T11:25:50.338Z", "name": "Port Knocking Mitigation", "description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--f9b3e5d9-7454-4b7d-bce6-27620e19924e", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1108", "url": "https://attack.mitre.org/mitigations/T1108", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}, {"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "source_name": "University of Birmingham C2"}], "modified": "2021-08-23T20:25:18.593Z", "name": "Redundant Access Mitigation", "description": "Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-21T15:52:18.525Z", "name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "type": "course-of-action", "id": "course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c", "created": "2019-06-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1036", "external_id": "M1036"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--fae44eea-caa7-42b7-a2e2-0c815ba81b9a", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1143", "external_id": "T1143"}], "modified": "2019-07-24T19:36:50.328Z", "name": "Hidden Window Mitigation", "description": "Whitelist programs that are allowed to have this plist tag. All other programs should be considered suspicious.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--fcbe8424-eb3e-4794-b76d-e743f5a49b8b", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/T1132", "external_id": "T1132"}, {"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "modified": "2019-07-24T18:25:06.552Z", "name": "Data Encoding Mitigation", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--fe0aeb41-1a51-4152-8467-628256ea6adf", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1031", "url": "https://attack.mitre.org/mitigations/T1031", "source_name": "mitre-attack"}, {"url": "https://github.com/mattifestation/PowerSploit", "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", "source_name": "Powersploit"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}], "modified": "2020-01-17T16:45:23.126Z", "name": "Modify Existing Service Mitigation", "description": "Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Toolkits like the PowerSploit framework contain the PowerUp modules that can be used to explore systems for Privilege Escalation weaknesses. (Citation: Powersploit)\n\nIdentify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", "type": "course-of-action", "created": "2019-06-11T16:43:44.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "external_id": "M1041", "url": "https://attack.mitre.org/mitigations/M1041"}], "modified": "2019-06-11T16:43:44.834Z", "name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "course-of-action--ff5d862a-ae6b-4833-8c15-e235d654d28e", "type": "course-of-action", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "T1122", "url": "https://attack.mitre.org/mitigations/T1122", "source_name": "mitre-attack"}, {"source_name": "Beechey 2010", "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"}, {"url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT"}, {"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", "source_name": "NSA MS AppLocker"}, {"source_name": "Corio 2008", "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"}, {"source_name": "TechNet Applocker vs SRP", "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx"}], "modified": "2020-01-17T16:45:23.056Z", "name": "Component Object Model Hijacking Mitigation", "description": "Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.\n\nInstead, identify and block potentially malicious software that may execute, or be executed by, this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-04-04T20:20:59.961Z", "name": "HDoor", "description": "[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["HDoor", "Custom HDoor"], "type": "malware", "id": "malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b", "created": "2017-05-31T21:32:40.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0061", "external_id": "S0061"}, {"source_name": "Baumgartner Naikon 2015", "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:28:21.746Z", "name": "TrickBot", "description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by [Wizard Spider](https://attack.mitre.org/groups/G0102) for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of \"big game hunting\" ransomware campaigns.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: CrowdStrike Wizard Spider October 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.2", "x_mitre_contributors": ["Daniyal Naeem, BT Security", "Cybereason Nocturnus, @nocturnus", "Omkar Gudhate", "FS-ISAC"], "x_mitre_aliases": ["TrickBot", "Totbrick", "TSPY_TRICKLOAD"], "type": "malware", "id": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0266", "external_id": "S0266"}, {"source_name": "TrickBot", "description": "(Citation: S2 Grupo TrickBot June 2017) (Citation: Trend Micro Totbrick Oct 2016) (Citation: TrendMicro Trickbot Feb 2019)"}, {"source_name": "TSPY_TRICKLOAD", "description": "(Citation: Trend Micro Totbrick Oct 2016)"}, {"source_name": "Totbrick", "description": "(Citation: Trend Micro Totbrick Oct 2016) (Citation: Microsoft Totbrick Oct 2017)"}, {"source_name": "Trend Micro Totbrick Oct 2016", "description": "Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n"}, {"source_name": "IBM TrickBot Nov 2016", "description": "Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot\u2019s Machinations. Retrieved August 2, 2018.", "url": "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/"}, {"source_name": "TrendMicro Trickbot Feb 2019", "description": "Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/"}, {"source_name": "CrowdStrike Wizard Spider October 2020", "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/"}, {"source_name": "Microsoft Totbrick Oct 2017", "description": "Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.", "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick"}, {"source_name": "Fidelis TrickBot Oct 2016", "description": "Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.", "url": "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre"}, {"source_name": "S2 Grupo TrickBot June 2017", "description": "Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.", "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["PowerDuke"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "type": "malware", "created": "2017-05-31T21:33:19.746Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0139", "external_id": "S0139"}, {"source_name": "PowerDuke", "description": "(Citation: Volexity PowerDuke November 2016)"}, {"source_name": "Volexity PowerDuke November 2016", "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.", "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"}], "modified": "2020-03-30T17:22:08.256Z", "name": "PowerDuke", "description": "[PowerDuke](https://attack.mitre.org/software/S0139) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-08T22:04:48.834Z", "name": "EKANS", "description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.0", "x_mitre_aliases": ["EKANS", "SNAKEHOSE"], "type": "malware", "id": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "created": "2021-02-12T20:07:42.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0605", "external_id": "S0605"}, {"source_name": "EKANS", "description": "(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)(Citation: FireEye Ransomware Feb 2020)"}, {"source_name": "SNAKEHOSE", "description": "(Citation: FireEye Ransomware Feb 2020)"}, {"source_name": "Dragos EKANS", "description": "Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.", "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/"}, {"source_name": "Palo Alto Unit 42 EKANS", "description": "Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.", "url": "https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/"}, {"source_name": "FireEye Ransomware Feb 2020", "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:51:38.922Z", "name": "BLINDINGCAN", "description": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Daniyal Naeem, BT Security"], "x_mitre_aliases": ["BLINDINGCAN"], "type": "malware", "id": "malware--01dbc71d-0ee8-420d-abb4-3dfb6a4bf725", "created": "2020-10-27T18:45:58.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0520", "external_id": "S0520"}, {"source_name": "NHS UK BLINDINGCAN Aug 2020", "description": "NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020.", "url": "https://digital.nhs.uk/cyber-alerts/2020/cc-3603"}, {"source_name": "US-CERT BLINDINGCAN Aug 2020", "description": "US-CERT. (2020, August 19). MAR-10295134-1.v1 \u2013 North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.", "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-17T22:02:37.451Z", "name": "Ninja", "description": "[Ninja](https://attack.mitre.org/software/S1100) is a malware developed in C++ that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) to penetrate networks and control remote systems since at least 2020. [Ninja](https://attack.mitre.org/software/S1100) is possibly part of a post exploitation toolkit exclusively used by [ToddyCat](https://attack.mitre.org/groups/G1022) and allows multiple operators to work simultaneously on the same machine. [Ninja](https://attack.mitre.org/software/S1100) has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by [Samurai](https://attack.mitre.org/software/S1099).(Citation: Kaspersky ToddyCat June 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Ninja"], "type": "malware", "id": "malware--023254de-caaf-4a05-b2c7-e4e2f283f7a5", "created": "2024-01-11T18:40:51.497Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1100", "external_id": "S1100"}, {"source_name": "Kaspersky ToddyCat June 2022", "description": "Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.", "url": "https://securelist.com/toddycat/106799/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Wiarp"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--039814a0-88de-46c5-a4fb-b293db21880a", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0206", "external_id": "S0206"}, {"source_name": "Wiarp", "description": "(Citation: Symantec Wiarp May 2012)"}, {"url": "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "description": "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", "source_name": "Symantec Elderwood Sept 2012"}, {"source_name": "Symantec Wiarp May 2012", "description": "Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.", "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99"}], "modified": "2021-01-06T19:32:28.378Z", "name": "Wiarp", "description": "[Wiarp](https://attack.mitre.org/software/S0206) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:21:49.455Z", "name": "RCSession", "description": "[RCSession](https://attack.mitre.org/software/S0662) is a backdoor written in C++ that has been in use since at least 2018 by [Mustang Panda](https://attack.mitre.org/groups/G0129) and by [Threat Group-3390](https://attack.mitre.org/groups/G0027) (Type II Backdoor).(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro Iron Tiger April 2021)(Citation: Trend Micro DRBControl February 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["RCSession"], "type": "malware", "id": "malware--03acae53-9b98-46f6-b204-16b930839055", "created": "2021-11-19T19:47:26.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0662", "external_id": "S0662"}, {"source_name": "Secureworks BRONZE PRESIDENT December 2019", "description": "Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.", "url": "https://www.secureworks.com/research/bronze-president-targets-ngos"}, {"source_name": "Trend Micro Iron Tiger April 2021", "description": "Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.", "url": "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html"}, {"source_name": "Trend Micro DRBControl February 2020", "description": "Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.", "url": "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Spark"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--03ea629c-517a-41e3-94f8-c7e5368cf8f4", "type": "malware", "created": "2020-12-15T01:30:05.198Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0543", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0543"}, {"source_name": "Spark", "description": "\n(Citation: Unit42 Molerat Mar 2020) "}, {"source_name": "Unit42 Molerat Mar 2020", "url": "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", "description": "Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020."}], "modified": "2021-08-18T23:49:01.615Z", "name": "Spark", "description": "\n[Spark](https://attack.mitre.org/software/S0543) is a Windows backdoor and has been in use since as early as 2017.(Citation: Unit42 Molerat Mar 2020) ", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["QuietSieve"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--03eb4a05-6a02-43f6-afb7-3c7835501828", "created": "2022-02-18T16:46:39.268Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S0686", "url": "https://attack.mitre.org/software/S0686"}, {"source_name": "Microsoft Actinium February 2022", "url": "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", "description": "Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022."}], "x_mitre_deprecated": false, "revoked": false, "description": "[QuietSieve](https://attack.mitre.org/software/S0686) is an information stealer that has been used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) since at least 2021.(Citation: Microsoft Actinium February 2022)", "modified": "2022-04-15T12:31:52.469Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "QuietSieve", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SynAck"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--04227b24-7817-4de1-9050-b7b1b57f5866", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0242", "external_id": "S0242"}, {"source_name": "SynAck", "description": "(Citation: SecureList SynAck Doppelg\u00e4nging May 2018) (Citation: Kaspersky Lab SynAck May 2018)"}, {"source_name": "SecureList SynAck Doppelg\u00e4nging May 2018", "description": "Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelg\u00e4nging technique. Retrieved May 22, 2018.", "url": "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/"}, {"source_name": "Kaspersky Lab SynAck May 2018", "description": "Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelg\u00e4nging technique. Retrieved May 24, 2018.", "url": "https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging"}], "modified": "2021-09-08T19:22:44.438Z", "name": "SynAck", "description": "[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelg\u00e4nging May 2018) (Citation: Kaspersky Lab SynAck May 2018)", "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-21T21:43:41.253Z", "name": "Bumblebee", "description": "[Bumblebee](https://attack.mitre.org/software/S1039) is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. [Bumblebee](https://attack.mitre.org/software/S1039) has been linked to ransomware operations including [Conti](https://attack.mitre.org/software/S0575), Quantum, and Mountlocker and derived its name from the appearance of \"bumblebee\" in the user-agent.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)\n", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Phill Taylor, BT Security"], "x_mitre_aliases": ["Bumblebee"], "type": "malware", "id": "malware--04378e79-4387-468a-a8f7-f974b8254e44", "created": "2022-08-19T20:28:36.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1039", "external_id": "S1039"}, {"source_name": "Symantec Bumblebee June 2022", "description": "Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime"}, {"source_name": "Proofpoint Bumblebee April 2022", "description": "Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.", "url": "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming"}, {"source_name": "Google EXOTIC LILY March 2022", "description": "Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.", "url": "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["MURKYTOP"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--049ff071-0b3c-4712-95d2-d21c6aa54501", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0233", "external_id": "S0233"}, {"source_name": "MURKYTOP", "description": "(Citation: FireEye Periscope March 2018)"}, {"url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.", "source_name": "FireEye Periscope March 2018"}], "modified": "2020-03-30T17:00:19.828Z", "name": "MURKYTOP", "description": "[MURKYTOP](https://attack.mitre.org/software/S0233) is a reconnaissance tool used by [Leviathan](https://attack.mitre.org/groups/G0065). (Citation: FireEye Periscope March 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-12T10:20:50.199Z", "name": "AcidRain", "description": "[AcidRain](https://attack.mitre.org/software/S1125) is an ELF binary targeting modems and routers using MIPS architecture.(Citation: AcidRain JAGS 2022) [AcidRain](https://attack.mitre.org/software/S1125) is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: AcidRain JAGS 2022) US and European government sources linked [AcidRain](https://attack.mitre.org/software/S1125) to Russian government entities, while Ukrainian government sources linked [AcidRain](https://attack.mitre.org/software/S1125) specifically to [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: AcidRain State Department 2022)(Citation: Vincens AcidPour 2024)", "x_mitre_platforms": ["Network", "Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["AcidRain"], "type": "malware", "id": "malware--04cecafd-cb5f-4daf-aa1f-73899116c4a2", "created": "2024-03-25T15:27:08.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1125", "external_id": "S1125"}, {"source_name": "Vincens AcidPour 2024", "description": "A.J. Vincens, CyberScoop. (2024, March 18). Researchers spot updated version of malware that hit Viasat. Retrieved March 25, 2024.", "url": "https://cyberscoop.com/viasat-malware-wiper-acidrain/"}, {"source_name": "AcidRain State Department 2022", "description": "Antony J. Blinken, US Department of State. (2022, May 10). Attribution of Russia\u2019s Malicious Cyber Activity Against Ukraine. Retrieved March 25, 2024.", "url": "https://www.state.gov/attribution-of-russias-malicious-cyber-activity-against-ukraine/"}, {"source_name": "AcidRain JAGS 2022", "description": "Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.", "url": "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["GRIFFON"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142", "type": "malware", "created": "2019-10-11T17:29:20.165Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0417", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0417"}, {"description": "Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig \u201cFIN7\u201d continues its activities. Retrieved October 11, 2019.", "url": "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "source_name": "SecureList Griffon May 2019"}], "modified": "2020-06-23T19:20:45.892Z", "name": "GRIFFON", "description": "[GRIFFON](https://attack.mitre.org/software/S0417) is a JavaScript backdoor used by [FIN7](https://attack.mitre.org/groups/G0046). (Citation: SecureList Griffon May 2019)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-26T18:59:38.457Z", "name": "Exaramel for Windows", "description": "[Exaramel for Windows](https://attack.mitre.org/software/S0343) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux](https://attack.mitre.org/software/S0401).(Citation: ESET TeleBots Oct 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.2", "x_mitre_aliases": ["Exaramel for Windows"], "type": "malware", "id": "malware--051eaca1-958f-4091-9e5f-a9acd8f820b5", "created": "2019-01-30T15:10:03.894Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0343", "external_id": "S0343"}, {"source_name": "Exaramel for Windows", "description": "(Citation: ESET TeleBots Oct 2018)"}, {"source_name": "ESET TeleBots Oct 2018", "description": "Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.", "url": "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-14T21:33:47.608Z", "name": "Amadey", "description": "[Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Amadey"], "type": "malware", "id": "malware--05318127-5962-444b-b900-a9dcfe0ff6e9", "created": "2022-07-14T17:30:54.927Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1025", "external_id": "S1025"}, {"source_name": "Korean FSI TA505 2020", "description": "Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.", "url": "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory="}, {"source_name": "BlackBerry Amadey 2020", "description": "Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.", "url": "https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["RDFSNIFFER"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--065196de-d7e8-4888-acfb-b2134022ba1b", "type": "malware", "created": "2019-10-11T16:13:19.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0416", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0416"}, {"source_name": "FireEye FIN7 Oct 2019", "url": "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", "description": "Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators\u2019 New Tools and Techniques. Retrieved October 11, 2019."}], "modified": "2019-10-16T15:34:22.990Z", "name": "RDFSNIFFER", "description": "[RDFSNIFFER](https://attack.mitre.org/software/S0416) is a module loaded by [BOOSTWRITE](https://attack.mitre.org/software/S0415) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Edward Millington"], "x_mitre_aliases": ["Proxysvc"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--069af411-9b24-4e85-b26c-623d035bbe84", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0238", "external_id": "S0238"}, {"source_name": "Proxysvc", "description": "(Citation: McAfee GhostSecret)"}, {"url": "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/", "description": "Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.", "source_name": "McAfee GhostSecret"}], "modified": "2020-03-30T17:23:20.589Z", "name": "Proxysvc", "description": "[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Orz", "AIRBREAK"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b", "created": "2018-04-18T17:59:24.739Z", "x_mitre_version": "2.2", "external_references": [{"source_name": "mitre-attack", "external_id": "S0229", "url": "https://attack.mitre.org/software/S0229"}, {"source_name": "AIRBREAK", "description": "(Citation: FireEye Periscope March 2018)"}, {"source_name": "Orz", "description": "(Citation: Proofpoint Leviathan Oct 2017)"}, {"source_name": "Proofpoint Leviathan Oct 2017", "url": "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "description": "Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."}, {"source_name": "FireEye Periscope March 2018", "url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018."}], "x_mitre_deprecated": false, "revoked": false, "description": "[Orz](https://attack.mitre.org/software/S0229) is a custom JavaScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)", "modified": "2022-04-19T01:33:33.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Orz", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:31:28.094Z", "name": "Torisma", "description": "[Torisma](https://attack.mitre.org/software/S0678) is a second stage implant designed for specialized monitoring that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [Torisma](https://attack.mitre.org/software/S0678) was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.(Citation: McAfee Lazarus Nov 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Torisma"], "type": "malware", "id": "malware--0715560d-4299-4e84-9e20-6e80ab57e4f2", "created": "2022-02-01T16:21:13.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0678", "external_id": "S0678"}, {"source_name": "McAfee Lazarus Nov 2020", "description": "Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["NOKKI"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--071d5d65-83ec-4a55-acfa-be7d5f28ba9a", "type": "malware", "created": "2019-01-30T19:50:45.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0353", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0353"}, {"source_name": "NOKKI", "description": "(Citation: Unit 42 NOKKI Sept 2018)"}, {"source_name": "Unit 42 NOKKI Sept 2018", "url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", "description": "Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018."}, {"source_name": "Unit 42 Nokki Oct 2018", "url": "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/", "description": "Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018."}], "modified": "2020-03-18T15:22:32.747Z", "name": "NOKKI", "description": "[NOKKI](https://attack.mitre.org/software/S0353) is a modular remote access tool. The earliest observed attack using [NOKKI](https://attack.mitre.org/software/S0353) was in January 2018. [NOKKI](https://attack.mitre.org/software/S0353) has significant code overlap with the [KONNI](https://attack.mitre.org/software/S0356) malware family. There is some evidence potentially linking [NOKKI](https://attack.mitre.org/software/S0353) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["yty"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--0817aaf2-afea-4c32-9285-4dcd1df5bf14", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0248", "external_id": "S0248"}, {"source_name": "yty", "description": "(Citation: ASERT Donot March 2018)"}, {"source_name": "ASERT Donot March 2018", "description": "Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.", "url": "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/"}], "modified": "2020-03-28T21:45:32.149Z", "name": "yty", "description": "[yty](https://attack.mitre.org/software/S0248) is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. (Citation: ASERT Donot March 2018)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-12T17:18:25.971Z", "name": "Backdoor.Oldrea", "description": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.0", "x_mitre_aliases": ["Backdoor.Oldrea", "Havex"], "type": "malware", "id": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "created": "2017-05-31T21:32:59.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0093", "external_id": "S0093"}, {"source_name": "Gigamon Berserk Bear October 2021", "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf"}, {"source_name": "Symantec Dragonfly Sept 2017", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers"}, {"source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:37:34.915Z", "name": "DOGCALL", "description": "[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["DOGCALL"], "type": "malware", "id": "malware--0852567d-7958-4f4b-8947-4f840ec8d57d", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0213", "external_id": "S0213"}, {"source_name": "DOGCALL", "description": "(Citation: FireEye APT37 Feb 2018)"}, {"source_name": "FireEye APT37 Feb 2018", "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T23:46:32.577Z", "name": "Stuxnet", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.4", "x_mitre_aliases": ["Stuxnet", "W32.Stuxnet"], "type": "malware", "id": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "created": "2020-12-14T17:34:58.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0603", "external_id": "S0603"}, {"source_name": "W32.Stuxnet", "description": "(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) "}, {"source_name": "CISA ICS Advisory ICSA-10-272-01", "description": "CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.", "url": "https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01"}, {"source_name": "ESET Stuxnet Under the Microscope", "description": "Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.", "url": "https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf"}, {"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}, {"source_name": "Langer Stuxnet", "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Downdelph", "Delphacy"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--08d20cd2-f084-45ee-8558-fa6ef5a18519", "type": "malware", "created": "2017-05-31T21:33:16.790Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0134", "external_id": "S0134"}, {"source_name": "ESET Sednit Part 3", "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"}], "modified": "2020-03-30T15:32:15.795Z", "name": "Downdelph", "description": "[Downdelph](https://attack.mitre.org/software/S0134) is a first-stage downloader written in Delphi that has been used by [APT28](https://attack.mitre.org/groups/G0007) in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-12T21:19:45.801Z", "name": "RotaJakiro", "description": "[RotaJakiro](https://attack.mitre.org/software/S1078) is a 64-bit Linux backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://attack.mitre.org/software/S1078) can determine it's permission level and execute according to access type (`root` or `user`).(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: netlab360 rotajakiro vs oceanlotus)", "x_mitre_platforms": ["Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["RotaJakiro"], "type": "malware", "id": "malware--08e844a8-371f-4fe3-9d1f-e056e64a7fde", "created": "2023-06-14T17:04:01.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1078", "external_id": "S1078"}, {"source_name": "RotaJakiro 2021 netlab360 analysis", "description": " Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.", "url": "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/"}, {"source_name": "netlab360 rotajakiro vs oceanlotus", "description": "Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.", "url": "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-02-15T17:03:59.324Z", "name": "AvosLocker", "description": "[AvosLocker](https://attack.mitre.org/software/S1053) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://attack.mitre.org/software/S1053) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)", "x_mitre_platforms": ["Linux", "Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Flavio Costa, Cisco"], "x_mitre_aliases": ["AvosLocker"], "type": "malware", "id": "malware--0945a1a5-a79a-47c8-9079-10c16cdfcb5d", "created": "2023-01-11T21:17:36.149Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1053", "external_id": "S1053"}, {"source_name": "Joint CSA AvosLocker Mar 2022", "description": "FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023.", "url": "https://www.ic3.gov/Media/News/2022/220318.pdf"}, {"source_name": "Malwarebytes AvosLocker Jul 2021", "description": "Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.", "url": "https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners"}, {"source_name": "Trend Micro AvosLocker Apr 2022", "description": "Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SEASHARPEE"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--0998045d-f96e-4284-95ce-3c8219707486", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0185", "external_id": "S0185"}, {"source_name": "SEASHARPEE", "description": "(Citation: FireEye APT34 Webinar Dec 2017)"}, {"url": "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", "description": "Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.", "source_name": "FireEye APT34 Webinar Dec 2017"}], "modified": "2021-04-23T20:29:59.216Z", "name": "SEASHARPEE", "description": "[SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell that has been used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: FireEye APT34 Webinar Dec 2017)", "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Get2"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69", "type": "malware", "created": "2020-05-29T20:32:42.686Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0460", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0460"}, {"source_name": "Proofpoint TA505 October 2019", "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."}], "modified": "2020-06-16T16:48:16.541Z", "name": "Get2", "description": "[Get2](https://attack.mitre.org/software/S0460) is a downloader written in C++ that has been used by [TA505](https://attack.mitre.org/groups/G0092) to deliver [FlawedGrace](https://attack.mitre.org/software/S0383), [FlawedAmmyy](https://attack.mitre.org/software/S0381), Snatch and [SDBbot](https://attack.mitre.org/software/S0461).(Citation: Proofpoint TA505 October 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["POWRUNER"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0184", "external_id": "S0184"}, {"source_name": "POWRUNER", "description": "(Citation: FireEye APT34 Dec 2017)"}, {"url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.", "source_name": "FireEye APT34 Dec 2017"}], "modified": "2020-07-06T16:11:56.562Z", "name": "POWRUNER", "description": "[POWRUNER](https://attack.mitre.org/software/S0184) is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-07-25T20:02:07.578Z", "name": "KOPILUWAK", "description": "[KOPILUWAK](https://attack.mitre.org/software/S1075) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.(Citation: Mandiant Suspected Turla Campaign February 2023)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Yoshihiro Kori, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India"], "x_mitre_aliases": ["KOPILUWAK"], "type": "malware", "id": "malware--09fcc02f-f9d4-43fa-8609-5e5e186b7103", "created": "2023-05-17T18:49:25.528Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1075", "external_id": "S1075"}, {"source_name": "Mandiant Suspected Turla Campaign February 2023", "description": "Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.", "url": "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["RobbinHood"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--0a607c53-df52-45da-a75d-0e53df4dad5f", "type": "malware", "created": "2019-07-29T14:27:18.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0400", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0400"}, {"description": "Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.", "url": "https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/", "source_name": "CarbonBlack RobbinHood May 2019"}, {"description": "Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019.", "url": "https://www.baltimoresun.com/politics/bs-md-ci-it-outage-20190507-story.html", "source_name": "BaltimoreSun RobbinHood May 2019"}], "modified": "2020-03-30T18:05:52.348Z", "name": "RobbinHood", "description": "[RobbinHood](https://attack.mitre.org/software/S0400) is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.(Citation: CarbonBlack RobbinHood May 2019)(Citation: BaltimoreSun RobbinHood May 2019)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0177", "external_id": "S0177"}, {"source_name": "MalwareTech Power Loader Aug 2013", "description": "MalwareTech. (2013, August 13). PowerLoader Injection \u2013 Something truly amazing. Retrieved December 16, 2017.", "url": "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html"}, {"source_name": "WeLiveSecurity Gapz and Redyms Mar 2013", "description": "Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017.", "url": "https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/"}], "modified": "2018-10-17T00:14:20.652Z", "name": "Power Loader", "description": "[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["TDTESS"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0164", "external_id": "S0164"}, {"source_name": "TDTESS", "description": "(Citation: ClearSky Wilted Tulip July 2017)"}, {"url": "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", "description": "ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.", "source_name": "ClearSky Wilted Tulip July 2017"}], "modified": "2020-03-30T18:18:53.335Z", "name": "TDTESS", "description": "[TDTESS](https://attack.mitre.org/software/S0164) is a 64-bit .NET binary backdoor used by [CopyKittens](https://attack.mitre.org/groups/G0052). (Citation: ClearSky Wilted Tulip July 2017)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:46:10.914Z", "name": "Chinoxy", "description": "[Chinoxy](https://attack.mitre.org/software/S1041) is a backdoor that has been used since at least November 2018, during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign, to gain persistence and drop additional payloads. According to security researchers, [Chinoxy](https://attack.mitre.org/software/S1041) has been used by Chinese-speaking threat actors.(Citation: Bitdefender FunnyDream Campaign November 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Chinoxy"], "type": "malware", "id": "malware--0b639373-5f03-430e-b8f9-2fe8c8faad8e", "created": "2022-09-21T16:46:22.726Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1041", "external_id": "S1041"}, {"source_name": "Bitdefender FunnyDream Campaign November 2020", "description": "Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SharpStage"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", "type": "malware", "created": "2020-12-22T17:02:52.954Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0546", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0546"}, {"source_name": "SharpStage", "description": "(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)"}, {"source_name": "Cybereason Molerats Dec 2020", "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "description": "Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."}, {"source_name": "BleepingComputer Molerats Dec 2020", "url": "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/", "description": "Ilascu, I. (2020, December 14). Hacking group\u2019s new malware abuses Google and Facebook services. Retrieved December 28, 2020."}], "modified": "2021-08-18T23:48:44.783Z", "name": "SharpStage", "description": "[SharpStage](https://attack.mitre.org/software/S0546) is a .NET malware with backdoor capabilities.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-05T15:31:04.915Z", "name": "COATHANGER", "description": "[COATHANGER](https://attack.mitre.org/software/S1105) is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, [COATHANGER](https://attack.mitre.org/software/S1105) was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. [COATHANGER](https://attack.mitre.org/software/S1105) is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name [COATHANGER](https://attack.mitre.org/software/S1105) is based on a unique string in the malware used to encrypt configuration files on disk: \u201cShe took his coat and hung it up\u201d
.(Citation: NCSC-NL COATHANGER Feb 2024)", "x_mitre_platforms": ["Linux", "Network"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["COATHANGER"], "type": "malware", "id": "malware--0c242cc5-58d3-4fe3-a866-b00a4b6fb817", "created": "2024-02-07T18:33:18.551Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1105", "external_id": "S1105"}, {"source_name": "NCSC-NL COATHANGER Feb 2024", "description": "Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.", "url": "https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-04T15:36:06.160Z", "name": "Sardonic", "description": "[Sardonic](https://attack.mitre.org/software/S1085) is a backdoor written in C and C++ that is known to be used by [FIN8](https://attack.mitre.org/groups/G0061), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://attack.mitre.org/software/S1085) has a plugin system that can load specially made DLLs and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Serhii Melnyk, Trustwave SpiderLabs"], "x_mitre_aliases": ["Sardonic"], "type": "malware", "id": "malware--0c52f5bc-557d-4083-bd27-66d7cdb794bb", "created": "2023-09-05T15:56:46.250Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1085", "external_id": "S1085"}, {"source_name": "Bitdefender Sardonic Aug 2021", "description": "Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf"}, {"source_name": "Symantec FIN8 Jul 2023", "description": "Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:04:55.094Z", "name": "Smoke Loader", "description": "[Smoke Loader](https://attack.mitre.org/software/S0226) is a malicious bot application that can be used to load other malware.\n[Smoke Loader](https://attack.mitre.org/software/S0226) has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["Smoke Loader", "Dofoil"], "type": "malware", "id": "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0226", "external_id": "S0226"}, {"source_name": "Smoke Loader", "description": "(Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)"}, {"source_name": "Dofoil", "description": "(Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)"}, {"source_name": "Malwarebytes SmokeLoader 2016", "description": "Hasherezade. (2016, September 12). Smoke Loader \u2013 downloader with a smokescreen still alive. Retrieved March 20, 2018.", "url": "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/"}, {"source_name": "Microsoft Dofoil 2018", "description": "Windows Defender Research. (2018, March 7). Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Retrieved March 20, 2018.", "url": "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f", "type": "malware", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0151", "external_id": "S0151"}, {"source_name": "FireEye FIN7 April 2017", "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"}], "modified": "2018-10-17T00:14:20.652Z", "name": "HALFBAKED", "description": "[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T20:39:43.747Z", "name": "WindTail", "description": "[WindTail](https://attack.mitre.org/software/S0466) is a macOS surveillance implant used by [Windshift](https://attack.mitre.org/groups/G0112). [WindTail](https://attack.mitre.org/software/S0466) shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", "x_mitre_platforms": ["macOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["WindTail"], "type": "malware", "id": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541", "created": "2020-06-04T19:01:53.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0466", "external_id": "S0466"}, {"source_name": "SANS Windshift August 2018", "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.", "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf"}, {"source_name": "objective-see windtail1 dec 2018", "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.", "url": "https://objective-see.com/blog/blog_0x3B.html"}, {"source_name": "objective-see windtail2 jan 2019", "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.", "url": "https://objective-see.com/blog/blog_0x3D.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-09-30T21:01:41.137Z", "name": "Misdat", "description": "[Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) from 2010 to 2011.(Citation: Cylance Dust Storm)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Misdat"], "type": "malware", "id": "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "created": "2017-05-31T21:32:55.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0083", "external_id": "S0083"}, {"source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["FLIPSIDE"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--0e18b800-906c-4e44-a143-b11c72b3448b", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0173", "external_id": "S0173"}, {"source_name": "FLIPSIDE", "description": "(Citation: Mandiant FIN5 GrrCON Oct 2016)"}, {"url": "https://www.youtube.com/watch?v=fevGZs0EQu8", "description": "Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.", "source_name": "Mandiant FIN5 GrrCON Oct 2016"}], "modified": "2020-03-30T16:24:24.753Z", "name": "FLIPSIDE", "description": "[FLIPSIDE](https://attack.mitre.org/software/S0173) is a simple tool similar to Plink that is used by [FIN5](https://attack.mitre.org/groups/G0053) to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Linux"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Linux Rabbit"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--0efefea5-78da-4022-92bc-d726139e8883", "type": "malware", "created": "2019-03-04T17:12:37.586Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0362", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0362"}, {"source_name": "anomali-linux-rabbit", "url": "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020."}, {"source_name": "Anomali Linux Rabbit 2018", "url": "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019."}], "modified": "2020-12-22T15:46:17.965Z", "name": "Linux Rabbit", "description": "[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)\n", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Ryan Becwar"], "x_mitre_aliases": ["adbupd"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0202", "external_id": "S0202"}, {"source_name": "adbupd", "description": "(Citation: Microsoft PLATINUM April 2016)"}, {"url": "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", "description": "Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.", "source_name": "Microsoft PLATINUM April 2016"}], "modified": "2020-03-30T18:33:31.623Z", "name": "adbupd", "description": "[adbupd](https://attack.mitre.org/software/S0202) is a backdoor used by [PLATINUM](https://attack.mitre.org/groups/G0068) that is similar to [Dipsind](https://attack.mitre.org/software/S0200). (Citation: Microsoft PLATINUM April 2016)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:35:14.040Z", "name": "Emissary", "description": "[Emissary](https://attack.mitre.org/software/S0082) is a Trojan that has been used by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It shares code with [Elise](https://attack.mitre.org/software/S0081), with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["Emissary"], "type": "malware", "id": "malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1", "created": "2017-05-31T21:32:54.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0082", "external_id": "S0082"}, {"source_name": "Emissary", "description": "(Citation: Lotus Blossom Dec 2015)"}, {"source_name": "Lotus Blossom Dec 2015", "description": "Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:34:14.304Z", "name": "Exaramel for Linux", "description": "[Exaramel for Linux](https://attack.mitre.org/software/S0401) is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under [Exaramel for Windows](https://attack.mitre.org/software/S0343).(Citation: ESET TeleBots Oct 2018)", "x_mitre_platforms": ["Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["Exaramel for Linux"], "type": "malware", "id": "malware--11194d8b-fdce-45d2-8047-df15bb8f16bd", "created": "2019-08-26T13:02:46.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0401", "external_id": "S0401"}, {"source_name": "Exaramel for Linux", "description": "(Citation: ESET TeleBots Oct 2018)"}, {"source_name": "ESET TeleBots Oct 2018", "description": "Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.", "url": "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["KEYMARBLE"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0271", "external_id": "S0271"}, {"source_name": "KEYMARBLE", "description": "(Citation: US-CERT KEYMARBLE Aug 2018)"}, {"source_name": "US-CERT KEYMARBLE Aug 2018", "description": "US-CERT. (2018, August 09). MAR-10135536-17 \u2013 North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.", "url": "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A"}], "modified": "2020-03-30T16:53:14.872Z", "name": "KEYMARBLE", "description": "[KEYMARBLE](https://attack.mitre.org/software/S0271) is a Trojan that has reportedly been used by the North Korean government. (Citation: US-CERT KEYMARBLE Aug 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["BUBBLEWRAP", "Backdoor.APT.FakeWinHTTPHelper"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--123bd7b3-675c-4b1a-8482-c55782b20e2b", "type": "malware", "created": "2017-05-31T21:32:33.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0043", "external_id": "S0043"}, {"source_name": "FireEye admin@338", "description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.", "url": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"}], "modified": "2020-03-30T15:03:26.307Z", "name": "BUBBLEWRAP", "description": "[BUBBLEWRAP](https://attack.mitre.org/software/S0043) is a full-featured, second-stage backdoor used by the [admin@338](https://attack.mitre.org/groups/G0018) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:23:13.352Z", "name": "HAWKBALL", "description": "[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["HAWKBALL"], "type": "malware", "id": "malware--12a7450d-b03e-4990-a5b8-b405ab9c803b", "created": "2019-06-20T14:52:45.057Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0391", "external_id": "S0391"}, {"source_name": "HAWKBALL", "description": "(Citation: FireEye HAWKBALL Jun 2019)"}, {"source_name": "FireEye HAWKBALL Jun 2019", "description": "Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:25:13.397Z", "name": "PS1", "description": "[PS1](https://attack.mitre.org/software/S0613) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["PS1"], "type": "malware", "id": "malware--13183cdf-280b-46be-913a-5c6df47831e7", "created": "2021-05-24T14:55:59.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0613", "external_id": "S0613"}, {"source_name": "BlackBerry CostaRicto November 2020", "description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.", "url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:18:21.527Z", "name": "Ursnif", "description": "[Ursnif](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.5", "x_mitre_aliases": ["Ursnif", "Gozi-ISFB", "PE_URSNIF", "Dreambot"], "type": "malware", "id": "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407", "created": "2019-06-04T18:42:22.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0386", "external_id": "S0386"}, {"source_name": "Gozi-ISFB", "description": "(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)"}, {"source_name": "Ursnif", "description": "(Citation: NJCCIC Ursnif Sept 2016)"}, {"source_name": "Dreambot", "description": "(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016)"}, {"source_name": "PE_URSNIF", "description": "(Citation: TrendMicro Ursnif Mar 2015)"}, {"source_name": "TrendMicro Ursnif Mar 2015", "description": "Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.", "url": "https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992"}, {"source_name": "NJCCIC Ursnif Sept 2016", "description": "NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.", "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif"}, {"source_name": "ProofPoint Ursnif Aug 2016", "description": "Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.", "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality"}, {"source_name": "FireEye Ursnif Nov 2017", "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:32:30.915Z", "name": "ThreatNeedle", "description": "[ThreatNeedle](https://attack.mitre.org/software/S0665) is a backdoor that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Manuscrypt (a.k.a. NukeSped) malware family.(Citation: Kaspersky ThreatNeedle Feb 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["ThreatNeedle"], "type": "malware", "id": "malware--16040b1c-ed28-4850-9d8f-bb8b81c42092", "created": "2021-11-30T15:46:36.159Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0665", "external_id": "S0665"}, {"source_name": "Kaspersky ThreatNeedle Feb 2021", "description": "Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.", "url": "https://securelist.com/lazarus-threatneedle/100803/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-09-30T20:52:00.462Z", "name": "ZLib", "description": "[ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant during [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2014. [ZLib](https://attack.mitre.org/software/S0086) is malware and should not be confused with the legitimate compression library from which its name is derived.(Citation: Cylance Dust Storm)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["ZLib"], "type": "malware", "id": "malware--166c0eca-02fd-424a-92c0-6b5106994d31", "created": "2017-05-31T21:32:56.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0086", "external_id": "S0086"}, {"source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:17:52.256Z", "name": "RedLeaves", "description": "[RedLeaves](https://attack.mitre.org/software/S0153) is a malware family used by [menuPass](https://attack.mitre.org/groups/G0045). The code overlaps with [PlugX](https://attack.mitre.org/software/S0013) and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_contributors": ["Edward Millington"], "x_mitre_aliases": ["RedLeaves", "BUGJUICE"], "type": "malware", "id": "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0153", "external_id": "S0153"}, {"source_name": "RedLeaves", "description": "(Citation: PWC Cloud Hopper Technical Annex April 2017)"}, {"source_name": "BUGJUICE", "description": "Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. (Citation: FireEye APT10 April 2017) (Citation: Twitter Nick Carr APT10)"}, {"source_name": "Twitter Nick Carr APT10", "description": "Carr, N.. (2017, April 6). Retrieved June 29, 2017.", "url": "https://twitter.com/ItsReallyNick/status/850105140589633536"}, {"source_name": "FireEye APT10 April 2017", "description": "FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html"}, {"source_name": "PWC Cloud Hopper Technical Annex April 2017", "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.", "url": "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--17dec760-9c8f-4f1b-9b4b-0ac47a453234", "type": "malware", "created": "2017-05-31T21:33:16.315Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0133", "external_id": "S0133"}, {"source_name": "Softpedia MinerC", "description": "Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved October 12, 2016.", "url": "http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml"}], "modified": "2018-10-17T00:14:20.652Z", "name": "Miner-C", "description": "[Miner-C](https://attack.mitre.org/software/S0133) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["POWERSOURCE", "DNSMessenger"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--17e919aa-4a49-445c-b103-dbb8df9e7351", "created": "2017-05-31T21:33:24.739Z", "x_mitre_version": "1.1", "external_references": [{"source_name": "mitre-attack", "external_id": "S0145", "url": "https://attack.mitre.org/software/S0145"}, {"source_name": "POWERSOURCE", "description": "(Citation: FireEye FIN7 March 2017)"}, {"source_name": "DNSMessenger", "description": "Based on similar descriptions of functionality, it appears S0145, as named by FireEye, is the same as the first stages of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. (Citation: Cisco DNSMessenger March 2017) (Citation: FireEye FIN7 March 2017)"}, {"source_name": "Cisco DNSMessenger March 2017", "url": "http://blog.talosintelligence.com/2017/03/dnsmessenger.html", "description": "Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017."}, {"source_name": "FireEye FIN7 March 2017", "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017."}], "x_mitre_deprecated": false, "revoked": false, "description": "[POWERSOURCE](https://attack.mitre.org/software/S0145) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)", "modified": "2022-07-20T20:06:44.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "POWERSOURCE", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-17T20:47:19.566Z", "name": "LITTLELAMB.WOOLTEA", "description": "[LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) is a backdoor that was used by UNC5325 during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "x_mitre_platforms": ["Network"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["LITTLELAMB.WOOLTEA"], "type": "malware", "id": "malware--19256855-65e9-48f2-8b74-9f3d0a994428", "created": "2024-03-13T18:41:57.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1121", "external_id": "S1121"}, {"source_name": "Mandiant Cutting Edge Part 3 February 2024", "description": "Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.", "url": "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Felismus"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0171", "external_id": "S0171"}, {"source_name": "Felismus", "description": "(Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)"}, {"url": "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", "description": "Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.", "source_name": "Symantec Sowbug Nov 2017"}, {"url": "https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware", "description": "Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.", "source_name": "Forcepoint Felismus Mar 2017"}], "modified": "2020-03-30T18:52:30.568Z", "name": "Felismus", "description": "[Felismus](https://attack.mitre.org/software/S0171) is a modular backdoor that has been used by [Sowbug](https://attack.mitre.org/groups/G0054). (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T20:31:00.234Z", "name": "Zeus Panda", "description": "[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)\u2019s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.4", "x_mitre_aliases": ["Zeus Panda"], "type": "malware", "id": "malware--198db886-47af-4f4c-bff5-11b891f85946", "created": "2019-01-29T17:59:43.600Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0330", "external_id": "S0330"}, {"source_name": "Zeus Panda", "description": "(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)"}, {"source_name": "Talos Zeus Panda Nov 2017", "description": "Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.", "url": "https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More"}, {"source_name": "GDATA Zeus Panda June 2017", "description": "Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.", "url": "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["GeminiDuke"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--199463de-d9be-46d6-bb41-07234c1dd5a6", "type": "malware", "created": "2017-05-31T21:32:36.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0049", "external_id": "S0049"}, {"url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", "source_name": "F-Secure The Dukes"}], "modified": "2020-03-30T16:43:20.186Z", "name": "GeminiDuke", "description": "[GeminiDuke](https://attack.mitre.org/software/S0049) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2009 to 2012. (Citation: F-Secure The Dukes)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:46:42.264Z", "name": "CARROTBAT", "description": "[CARROTBAT](https://attack.mitre.org/software/S0462) is a customized dropper that has been in use since at least 2017. [CARROTBAT](https://attack.mitre.org/software/S0462) has been used to install [SYSCON](https://attack.mitre.org/software/S0464) and has infrastructure overlap with [KONNI](https://attack.mitre.org/software/S0356).(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["CARROTBAT"], "type": "malware", "id": "malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8", "created": "2020-06-02T14:11:40.581Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0462", "external_id": "S0462"}, {"source_name": "Unit 42 CARROTBAT November 2018", "description": "Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.", "url": "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/"}, {"source_name": "Unit 42 CARROTBAT January 2020", "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.", "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Matryoshka"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--1cc934e4-b01d-4543-a011-b988dfc1a458", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0167", "external_id": "S0167"}, {"source_name": "Matryoshka", "description": "(Citation: ClearSky Wilted Tulip July 2017)"}, {"source_name": "ClearSky Wilted Tulip July 2017", "description": "ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.", "url": "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf"}, {"source_name": "CopyKittens Nov 2015", "description": "Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.", "url": "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf"}], "modified": "2021-04-23T20:13:32.050Z", "name": "Matryoshka", "description": "[Matryoshka](https://attack.mitre.org/software/S0167) is a malware framework used by [CopyKittens](https://attack.mitre.org/groups/G0052) that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)", "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_aliases": ["FrameworkPOS", "Trinity"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", "type": "malware", "created": "2020-09-08T14:55:46.094Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0503", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0503"}, {"source_name": "Trinity", "description": "(Citation: SentinelOne FrameworkPOS September 2019)"}, {"source_name": "SentinelOne FrameworkPOS September 2019", "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/", "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020."}], "modified": "2020-10-19T19:44:15.357Z", "name": "FrameworkPOS", "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:25:20.119Z", "name": "GravityRAT", "description": "[GravityRAT](https://attack.mitre.org/software/S0237) is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are \"TheMartian\" and \"The Invincible.\" According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. (Citation: Talos GravityRAT)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["GravityRAT"], "type": "malware", "id": "malware--1d1fce2f-0db5-402b-9843-4278a0694637", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0237", "external_id": "S0237"}, {"source_name": "GravityRAT", "description": "(Citation: Talos GravityRAT)"}, {"source_name": "Talos GravityRAT", "description": "Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.", "url": "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-12-26T19:55:54.848Z", "name": "WEBC2", "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.0", "x_mitre_contributors": ["Wes Hurd"], "x_mitre_aliases": ["WEBC2"], "type": "malware", "id": "malware--1d808f62-cf63-4063-9727-ff6132514c22", "created": "2017-05-31T21:33:06.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0109", "external_id": "S0109"}, {"source_name": "WEBC2", "description": "(Citation: Mandiant APT1)"}, {"source_name": "Mandiant APT1 Appendix", "description": "Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.", "url": "https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf"}, {"source_name": "Mandiant APT1", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-02-24T22:25:15.162Z", "name": "Prestige", "description": "[Prestige](https://attack.mitre.org/software/S1058) ransomware has been used by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft Prestige ransomware October 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Mindaugas Gudzis, BT Security"], "x_mitre_aliases": ["Prestige"], "type": "malware", "id": "malware--1da748a5-875d-4212-9222-b4c23ab861be", "created": "2023-01-20T18:43:05.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1058", "external_id": "S1058"}, {"source_name": "Microsoft Prestige ransomware October 2022", "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Bankshot", "Trojan Manuscript"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0239", "external_id": "S0239"}, {"source_name": "Bankshot", "description": "(Citation: McAfee Bankshot)"}, {"source_name": "Trojan Manuscript", "description": "(Citation: McAfee Bankshot)"}, {"url": "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/", "description": "Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.", "source_name": "McAfee Bankshot"}], "modified": "2020-03-30T20:41:17.223Z", "name": "Bankshot", "description": "[Bankshot](https://attack.mitre.org/software/S0239) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://attack.mitre.org/groups/G0032) used the [Bankshot](https://attack.mitre.org/software/S0239) implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-09-26T20:19:38.859Z", "name": "SharpDisco", "description": "[SharpDisco](https://attack.mitre.org/software/S1089) is a dropper developed in C# that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 to load malicious plugins.(Citation: MoustachedBouncer ESET August 2023)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["SharpDisco"], "type": "malware", "id": "malware--1fefb062-feda-484a-8f10-0cebf65e20e3", "created": "2023-09-26T20:19:15.106Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1089", "external_id": "S1089"}, {"source_name": "MoustachedBouncer ESET August 2023", "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T23:47:16.416Z", "name": "StrongPity", "description": "[StrongPity](https://attack.mitre.org/software/S0491) is an information stealing malware used by [PROMETHIUM](https://attack.mitre.org/groups/G0056).(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["StrongPity"], "type": "malware", "id": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", "created": "2020-07-20T17:41:19.690Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0491", "external_id": "S0491"}, {"source_name": "Talos Promethium June 2020", "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html"}, {"source_name": "Bitdefender StrongPity June 2020", "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0214", "external_id": "S0214"}, {"source_name": "HAPPYWORK", "description": "(Citation: FireEye APT37 Feb 2018)"}, {"source_name": "FireEye APT37 Feb 2018", "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"}], "modified": "2018-10-17T00:14:20.652Z", "name": "HAPPYWORK", "description": "[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Pooja Natarajan, NEC Corporation India", "Yoshihiro Kori, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India"], "x_mitre_aliases": ["xCaon"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--21583311-6321-4891-8a37-3eb4e57b0fb1", "type": "malware", "created": "2021-09-29T00:04:26.906Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0653", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0653"}, {"source_name": "xCaon", "description": "(Citation: Checkpoint IndigoZebra July 2021)"}, {"source_name": "Checkpoint IndigoZebra July 2021", "url": "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/", "description": "CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021."}, {"source_name": "Securelist APT Trends Q2 2017", "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.", "url": "https://securelist.com/apt-trends-report-q2-2017/79332/"}], "modified": "2021-10-16T02:20:16.562Z", "name": "xCaon", "description": "[xCaon](https://attack.mitre.org/software/S0653) is an HTTP variant of the [BoxCaon](https://attack.mitre.org/software/S0651) malware family that has used by [IndigoZebra](https://attack.mitre.org/groups/G0136) since at least 2014. [xCaon](https://attack.mitre.org/software/S0653) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["PLAINTEE"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0254", "external_id": "S0254"}, {"source_name": "PLAINTEE", "description": "(Citation: Rancor Unit42 June 2018)"}, {"source_name": "Rancor Unit42 June 2018", "description": "Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"}], "modified": "2020-03-30T17:15:33.608Z", "name": "PLAINTEE", "description": "[PLAINTEE](https://attack.mitre.org/software/S0254) is a malware sample that has been used by [Rancor](https://attack.mitre.org/groups/G0075) in targeted attacks in Singapore and Cambodia. (Citation: Rancor Unit42 June 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Arie Olshtein, Check Point", "Kobi Eisenkraft, Check Point"], "x_mitre_aliases": ["Pony"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce", "type": "malware", "created": "2020-05-21T21:03:35.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0453", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0453"}, {"source_name": "Malwarebytes Pony April 2016", "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/", "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."}], "modified": "2020-06-25T21:57:40.642Z", "name": "Pony", "description": "[Pony](https://attack.mitre.org/software/S0453) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.(Citation: Malwarebytes Pony April 2016)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["WinMM"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--22addc7b-b39f-483d-979a-1b35147da5de", "type": "malware", "created": "2017-05-31T21:32:40.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0059", "url": "https://attack.mitre.org/software/S0059", "source_name": "mitre-attack"}, {"source_name": "Baumgartner Naikon 2015", "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"}], "modified": "2020-03-30T18:27:57.226Z", "name": "WinMM", "description": "[WinMM](https://attack.mitre.org/software/S0059) is a full-featured, simple backdoor used by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Nebulae"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--22b17791-45bf-45c0-9322-ff1a0af5cf2b", "type": "malware", "created": "2021-06-30T14:44:35.055Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0630", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0630"}, {"source_name": "Bitdefender Naikon April 2021", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf", "description": "Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."}], "modified": "2021-10-15T22:57:32.775Z", "name": "Nebulae", "description": "[Nebulae](https://attack.mitre.org/software/S0630) Is a backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["macOS"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Janicab"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--234e7770-99b0-4f65-b983-d3230f76a60b", "type": "malware", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0163", "external_id": "S0163"}, {"source_name": "Janicab", "description": "Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.", "url": "http://www.thesafemac.com/new-signed-malware-called-janicab/"}], "modified": "2020-03-19T18:00:00.645Z", "name": "Janicab", "description": "[Janicab](https://attack.mitre.org/software/S0163) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. (Citation: Janicab)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:57:01.302Z", "name": "AuditCred", "description": "[AuditCred](https://attack.mitre.org/software/S0347) is a malicious DLL that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) during their 2018 attacks.(Citation: TrendMicro Lazarus Nov 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["AuditCred", "Roptimizer"], "type": "malware", "id": "malware--24b4ce59-eaac-4c8b-8634-9b093b7ccd92", "created": "2019-01-30T15:47:41.018Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0347", "external_id": "S0347"}, {"source_name": "AuditCred", "description": "(Citation: TrendMicro Lazarus Nov 2018)"}, {"source_name": "Roptimizer", "description": "(Citation: TrendMicro Lazarus Nov 2018)"}, {"source_name": "TrendMicro Lazarus Nov 2018", "description": "Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Lurid", "Enfal"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--251fbae2-78f6-4de7-84f6-194c727a64ad", "type": "malware", "created": "2017-05-31T21:32:14.527Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0010", "external_id": "S0010"}, {"source_name": "Villeneuve 2014", "description": "Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.", "url": "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html"}, {"source_name": "Villeneuve 2011", "description": "Villeneuve, N., Sancho, D. (2011). THE \u201cLURID\u201d DOWNLOADER. Retrieved November 12, 2014.", "url": "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf"}], "modified": "2020-03-31T12:39:16.608Z", "name": "Lurid", "description": "[Lurid](https://attack.mitre.org/software/S0010) is a malware family that has been used by several groups, including [PittyTiger](https://attack.mitre.org/groups/G0011), in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Kasidet"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--26fed817-e7bf-41f9-829a-9075ffac45c2", "type": "malware", "created": "2017-05-31T21:32:57.344Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0088", "external_id": "S0088"}, {"source_name": "Zscaler Kasidet", "description": "Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.", "url": "http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html"}], "modified": "2020-03-30T16:54:23.238Z", "name": "Kasidet", "description": "[Kasidet](https://attack.mitre.org/software/S0088) is a backdoor that has been dropped by using malicious VBA macros. (Citation: Zscaler Kasidet)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["OceanSalt"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--288fa242-e894-4c7e-ac86-856deedf5cea", "type": "malware", "created": "2019-01-30T15:43:19.105Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0346", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0346"}, {"source_name": "OceanSalt", "description": "(Citation: McAfee Oceansalt Oct 2018)"}, {"description": "Sherstobitoff, R., Malhotra, A. (2018, October 18). \u2018Operation Oceansalt\u2019 Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.", "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf", "source_name": "McAfee Oceansalt Oct 2018"}], "modified": "2020-03-30T17:12:48.823Z", "name": "OceanSalt", "description": "[OceanSalt](https://attack.mitre.org/software/S0346) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://attack.mitre.org/software/S0346) shares code similarity with [SpyNote RAT](https://attack.mitre.org/software/S0305), which has been linked to [APT1](https://attack.mitre.org/groups/G0006).(Citation: McAfee Oceansalt Oct 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Brave Prince"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--28b97733-ef07-4414-aaa5-df50b2d30cc5", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.2", "external_references": [{"source_name": "mitre-attack", "external_id": "S0252", "url": "https://attack.mitre.org/software/S0252"}, {"source_name": "Brave Prince", "description": "(Citation: McAfee Gold Dragon)"}, {"source_name": "McAfee Gold Dragon", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/", "description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018."}], "x_mitre_deprecated": false, "revoked": false, "description": "[Brave Prince](https://attack.mitre.org/software/S0252) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://attack.mitre.org/software/S0249), and was seen along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)", "modified": "2022-04-11T21:44:52.220Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Brave Prince", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:22:35.591Z", "name": "RainyDay", "description": "[RainyDay](https://attack.mitre.org/software/S0629) is a backdoor tool that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["RainyDay"], "type": "malware", "id": "malware--29231689-5837-4a7a-aafc-1b65b3f50cc7", "created": "2021-06-29T14:46:45.468Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0629", "external_id": "S0629"}, {"source_name": "Bitdefender Naikon April 2021", "description": "Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Ecipekac", "HEAVYHAND", "SigLoader", "DESLoader"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3", "type": "malware", "created": "2021-06-18T18:56:41.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0624", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0624"}, {"source_name": "HEAVYHAND", "description": "(Citation: Securelist APT10 March 2021)"}, {"source_name": "SigLoader", "description": "(Citation: Securelist APT10 March 2021)"}, {"source_name": "DESLoader", "description": "(Citation: Securelist APT10 March 2021)"}, {"source_name": "Securelist APT10 March 2021", "url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/", "description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021."}], "modified": "2021-10-11T14:18:23.361Z", "name": "Ecipekac", "description": "[Ecipekac](https://attack.mitre.org/software/S0624) is a multi-layer loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2019 including use as a loader for [P8RAT](https://attack.mitre.org/software/S0626), [SodaMaster](https://attack.mitre.org/software/S0627), and [FYAnti](https://attack.mitre.org/software/S0628).(Citation: Securelist APT10 March 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows", "Android"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["AppleSeed"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--295721d2-ee20-4fa3-ade3-37f4146b4570", "type": "malware", "created": "2021-06-10T14:53:49.448Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0622", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0622"}, {"source_name": "Malwarebytes Kimsuky June 2021", "url": "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."}], "modified": "2022-03-15T20:08:18.786Z", "name": "AppleSeed", "description": "[AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-03-28T19:04:24.485Z", "name": "BUSHWALK", "description": "[BUSHWALK](https://attack.mitre.org/software/S1118) is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://attack.mitre.org/campaigns/C0029).(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", "x_mitre_platforms": ["Network"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["BUSHWALK"], "type": "malware", "id": "malware--29a0bb87-1162-4c83-9834-2a98a876051b", "created": "2024-03-07T20:16:36.898Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1118", "external_id": "S1118"}, {"source_name": "Mandiant Cutting Edge Part 3 February 2024", "description": "Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.", "url": "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence"}, {"source_name": "Mandiant Cutting Edge Part 2 January 2024", "description": "Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.", "url": "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-19T21:01:46.587Z", "name": "macOS.OSAMiner", "description": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) is a Monero mining trojan that was first observed in 2018; security researchers assessed [macOS.OSAMiner](https://attack.mitre.org/software/S1048) may have been circulating since at least 2015. [macOS.OSAMiner](https://attack.mitre.org/software/S1048) is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.(Citation: SentinelLabs reversing run-only applescripts 2021)(Citation: VMRay OSAMiner dynamic analysis 2021)", "x_mitre_platforms": ["macOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["macOS.OSAMiner"], "type": "malware", "id": "malware--2a59a237-1530-4d55-91f9-2aebf961cc37", "created": "2022-10-04T06:35:40.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1048", "external_id": "S1048"}, {"source_name": "SentinelLabs reversing run-only applescripts 2021", "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.", "url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"}, {"source_name": "VMRay OSAMiner dynamic analysis 2021", "description": "VMRAY. (2021, January 14). Malware Analysis Spotlight: OSAMiner Uses Run-Only AppleScripts to Evade Detection. Retrieved October 4, 2022.", "url": "https://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["LOWBALL"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", "type": "malware", "created": "2017-05-31T21:32:33.348Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0042", "external_id": "S0042"}, {"url": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.", "source_name": "FireEye admin@338"}], "modified": "2020-03-30T16:56:27.375Z", "name": "LOWBALL", "description": "[LOWBALL](https://attack.mitre.org/software/S0042) is malware used by [admin@338](https://attack.mitre.org/groups/G0018). It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-09-20T20:04:20.149Z", "name": "NETWIRE", "description": "[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)", "x_mitre_platforms": ["Windows", "Linux", "macOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.6", "x_mitre_contributors": ["Tony Lambert, Red Canary"], "x_mitre_aliases": ["NETWIRE"], "type": "malware", "id": "malware--2a70812b-f1ef-44db-8578-a496a227aef2", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0198", "external_id": "S0198"}, {"source_name": "NETWIRE", "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: McAfee Netwire Mar 2015)"}, {"source_name": "FireEye APT33 Webinar Sept 2017", "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", "url": "https://www.brighttalk.com/webcast/10703/275683"}, {"source_name": "McAfee Netwire Mar 2015", "description": "McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.", "url": "https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/"}, {"source_name": "FireEye APT33 Sept 2017", "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-26T20:20:44.580Z", "name": "TinyTurla", "description": "[TinyTurla](https://attack.mitre.org/software/S0668) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010) against targets in the US, Germany, and Afghanistan since at least 2020.(Citation: Talos TinyTurla September 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Kyaw Pyiyt Htet, @KyawPyiytHtet", "Massimiliano Romano, BT Security"], "x_mitre_aliases": ["TinyTurla"], "type": "malware", "id": "malware--2a7c1bb7-cd12-456e-810d-ab3bf8457bab", "created": "2021-12-02T15:09:20.899Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0668", "external_id": "S0668"}, {"source_name": "Talos TinyTurla September 2021", "description": "Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.", "url": "https://blog.talosintelligence.com/2021/09/tinyturla.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:23:58.415Z", "name": "PyDCrypt", "description": "[PyDCrypt](https://attack.mitre.org/software/S1032) is malware written in Python designed to deliver [DCSrv](https://attack.mitre.org/software/S1033). It has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021, with each sample tailored for its intended victim organization.(Citation: Checkpoint MosesStaff Nov 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Pooja Natarajan, NEC Corporation India", "Hiroki Nagahama, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India"], "x_mitre_aliases": ["PyDCrypt"], "type": "malware", "id": "malware--2ac41e8b-4865-4ced-839d-78e7852c47f3", "created": "2022-08-11T22:00:20.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1032", "external_id": "S1032"}, {"source_name": "Checkpoint MosesStaff Nov 2021", "description": "Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.", "url": "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["HyperStack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--2cf7dec3-66fc-423f-b2c7-58f1de243b4e", "type": "malware", "created": "2020-12-02T20:48:23.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0537", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0537"}, {"source_name": "Accenture HyperStack October 2020", "url": "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "description": "Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020."}], "modified": "2020-12-04T15:04:01.604Z", "name": "HyperStack", "description": "[HyperStack](https://attack.mitre.org/software/S0537) is a RPC-based backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2018. [HyperStack](https://attack.mitre.org/software/S0537) has similarities to other backdoors used by [Turla](https://attack.mitre.org/groups/G0010) including [Carbon](https://attack.mitre.org/software/S0335).(Citation: Accenture HyperStack October 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["macOS"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["iKitten", "OSX/MacDownloader"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--2cfe8a26-5be7-4a09-8915-ea3d9e787513", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0278", "external_id": "S0278"}, {"source_name": "iKitten", "description": "(Citation: objsee mac malware 2017)."}, {"source_name": "OSX/MacDownloader", "description": "(Citation: objsee mac malware 2017)."}, {"source_name": "objsee mac malware 2017", "description": "Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.", "url": "https://objective-see.com/blog/blog_0x25.html"}], "modified": "2020-03-30T18:37:55.343Z", "name": "iKitten", "description": "[iKitten](https://attack.mitre.org/software/S0278) is a macOS exfiltration agent (Citation: objsee mac malware 2017).", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["HAMMERTOSS", "HammerDuke", "NetDuke"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--2daa14d6-cbf3-4308-bb8e-213c324a08e4", "type": "malware", "created": "2017-05-31T21:32:29.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0037", "external_id": "S0037"}, {"source_name": "FireEye APT29", "description": "FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf"}, {"source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"}], "modified": "2021-02-09T13:58:23.806Z", "name": "HAMMERTOSS", "description": "[HAMMERTOSS](https://attack.mitre.org/software/S0037) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: FireEye APT29) (Citation: F-Secure The Dukes)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-26T17:51:20.402Z", "name": "OLDBAIT", "description": "[OLDBAIT](https://attack.mitre.org/software/S0138) is a credential harvester used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["OLDBAIT", "Sasfis"], "type": "malware", "id": "malware--2dd34b01-6110-4aac-835d-b5e7b936b0be", "created": "2017-05-31T21:33:18.946Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0138", "external_id": "S0138"}, {"source_name": "FireEye APT28 January 2017", "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"}, {"source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-12T17:29:57.200Z", "name": "Bad Rabbit", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) ", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Bad Rabbit", "Win32/Diskcoder.D"], "type": "malware", "id": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "created": "2021-02-09T14:35:39.455Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0606", "external_id": "S0606"}, {"source_name": "ESET Bad Rabbit", "description": "M.L\u00e9veille, M-E.. (2017, October 24). Bad Rabbit: Not\u2011Petya is back with improved ransomware. Retrieved January 28, 2021.", "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"}, {"source_name": "Secure List Bad Rabbit", "description": "Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.", "url": "https://securelist.com/bad-rabbit-ransomware/82851/"}, {"source_name": "Dragos IT ICS Ransomware", "description": "Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021.", "url": "https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["CosmicDuke", "TinyBaron", "BotgenStudios", "NemesisGemina"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "type": "malware", "created": "2017-05-31T21:32:36.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0050", "external_id": "S0050"}, {"source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"}], "modified": "2020-03-28T21:32:37.171Z", "name": "CosmicDuke", "description": "[CosmicDuke](https://attack.mitre.org/software/S0050) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. (Citation: F-Secure The Dukes)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-23T15:14:18.597Z", "name": "EvilGrab", "description": "[EvilGrab](https://attack.mitre.org/software/S0152) is a malware family with common reconnaissance capabilities. It has been deployed by [menuPass](https://attack.mitre.org/groups/G0045) via malicious Microsoft Office documents as part of spearphishing campaigns. (Citation: PWC Cloud Hopper Technical Annex April 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["EvilGrab"], "type": "malware", "id": "malware--2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0152", "external_id": "S0152"}, {"source_name": "PWC Cloud Hopper Technical Annex April 2017", "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.", "url": "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:34:42.912Z", "name": "EnvyScout", "description": "[EnvyScout](https://attack.mitre.org/software/S0634) is a dropper that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["EnvyScout"], "type": "malware", "id": "malware--2f8229dc-da94-41c6-89ba-b5b6c32f6b7d", "created": "2021-08-02T15:31:32.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0634", "external_id": "S0634"}, {"source_name": "MSTIC Nobelium Toolset May 2021", "description": "MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.", "url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SslMM"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "type": "malware", "created": "2017-05-31T21:32:39.606Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0058", "url": "https://attack.mitre.org/software/S0058", "source_name": "mitre-attack"}, {"source_name": "Baumgartner Naikon 2015", "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"}], "modified": "2020-03-18T15:53:57.549Z", "name": "SslMM", "description": "[SslMM](https://attack.mitre.org/software/S0058) is a full-featured backdoor used by [Naikon](https://attack.mitre.org/groups/G0019) that has multiple variants. (Citation: Baumgartner Naikon 2015)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:24:46.255Z", "name": "GreyEnergy", "description": "[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["GreyEnergy"], "type": "malware", "id": "malware--308b3d68-a084-4dfb-885a-3125e1a9c1e8", "created": "2019-01-30T13:53:14.264Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0342", "external_id": "S0342"}, {"source_name": "GreyEnergy", "description": "(Citation: ESET GreyEnergy Oct 2018)"}, {"source_name": "ESET GreyEnergy Oct 2018", "description": "Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.", "url": "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--310f437b-29e7-4844-848c-7220868d074a", "created": "2018-04-18T17:59:24.739Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S0209", "url": "https://attack.mitre.org/software/S0209"}], "x_mitre_deprecated": false, "revoked": true, "description": "", "modified": "2022-04-21T18:18:58.351Z", "name": "Darkmoon", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:58:53.131Z", "name": "Aria-body", "description": "[Aria-body](https://attack.mitre.org/software/S0456) is a custom backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since approximately 2017.(Citation: CheckPoint Naikon May 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Aria-body"], "type": "malware", "id": "malware--3161d76a-e2b2-4b97-9906-24909b735386", "created": "2020-05-26T19:36:04.663Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0456", "external_id": "S0456"}, {"source_name": "CheckPoint Naikon May 2020", "description": "CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.", "url": "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-09-29T19:44:43.868Z", "name": "Emotet", "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.5", "x_mitre_contributors": ["Omkar Gudhate"], "x_mitre_aliases": ["Emotet", "Geodo"], "type": "malware", "id": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "created": "2019-03-25T18:35:14.353Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0367", "external_id": "S0367"}, {"source_name": "Emotet", "description": "(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Kaspersky Emotet Jan 2019)(Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: ESET Emotet Nov 2018)(Citation: Secureworks Emotet Nov 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: CIS Emotet Dec 2018)(Citation: Picus Emotet Dec 2018)(Citation: Red Canary Emotet Feb 2019) "}, {"source_name": "Geodo", "description": "(Citation: Trend Micro Emotet Jan 2019)"}, {"source_name": "Talos Emotet Jan 2019", "description": "Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.", "url": "https://blog.talosintelligence.com/2019/01/return-of-emotet.html"}, {"source_name": "CIS Emotet Apr 2017", "description": "CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.", "url": "https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/"}, {"source_name": "CIS Emotet Dec 2018", "description": "CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.", "url": "https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/"}, {"source_name": "Red Canary Emotet Feb 2019", "description": "Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.", "url": "https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/"}, {"source_name": "ESET Emotet Nov 2018", "description": "ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019.", "url": "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/"}, {"source_name": "Secureworks Emotet Nov 2018", "description": "Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.", "url": "https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader"}, {"source_name": "Picus Emotet Dec 2018", "description": "\u00d6zarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.", "url": "https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html"}, {"source_name": "Trend Micro Banking Malware Jan 2019", "description": "Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/"}, {"source_name": "Kaspersky Emotet Jan 2019", "description": "Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.", "url": "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/"}, {"source_name": "Malwarebytes Emotet Dec 2017", "description": "Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.", "url": "https://support.malwarebytes.com/docs/DOC-2295"}, {"source_name": "Symantec Emotet Jul 2018", "description": "Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.", "url": "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor"}, {"source_name": "Trend Micro Emotet Jan 2019", "description": "Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.", "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf"}, {"source_name": "US-CERT Emotet Jul 2018", "description": "US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-201A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SNUGRIDE"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--3240cbe4-c550-443b-aa76-cc2a7058b870", "type": "malware", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0159", "external_id": "S0159"}, {"source_name": "SNUGRIDE", "description": "(Citation: FireEye APT10 April 2017)"}, {"url": "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "description": "FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.", "source_name": "FireEye APT10 April 2017"}], "modified": "2020-03-30T18:11:04.830Z", "name": "SNUGRIDE", "description": "[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Olympic Destroyer"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--3249e92a-870b-426d-8790-ba311c1abfb4", "type": "malware", "created": "2019-03-25T14:07:22.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0365", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0365"}, {"source_name": "Talos Olympic Destroyer 2018", "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."}, {"source_name": "US District Court Indictment GRU Unit 74455 October 2020", "url": "https://www.justice.gov/opa/press-release/file/1328521/download", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."}], "modified": "2021-04-23T19:32:38.936Z", "name": "Olympic Destroyer", "description": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. [Olympic Destroyer](https://attack.mitre.org/software/S0365) has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020) ", "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-26T18:39:01.095Z", "name": "Crimson", "description": "[Crimson](https://attack.mitre.org/software/S0115) is a remote access Trojan that has been used by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["Crimson", "MSIL/Crimson"], "type": "malware", "id": "malware--326af1cd-78e7-45b7-a326-125d2f7ef8f2", "created": "2017-05-31T21:33:08.679Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0115", "external_id": "S0115"}, {"source_name": "MSIL/Crimson", "description": "(Citation: Proofpoint Operation Transparent Tribe March 2016)"}, {"source_name": "Kaspersky Transparent Tribe August 2020", "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.", "url": "https://securelist.com/transparent-tribe-part-1/98127/"}, {"source_name": "Proofpoint Operation Transparent Tribe March 2016", "description": "Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.", "url": "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Craig Smith, BT Security"], "x_mitre_aliases": ["Tomiris"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--327b3a25-9e60-4431-b3b6-93b9c64eacbc", "created": "2021-12-29T14:47:19.862Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S0671", "url": "https://attack.mitre.org/software/S0671"}, {"source_name": "Kaspersky Tomiris Sep 2021", "url": "https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/", "description": "Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021."}], "x_mitre_deprecated": false, "revoked": false, "description": "[Tomiris](https://attack.mitre.org/software/S0671) is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between [Tomiris](https://attack.mitre.org/software/S0671) and [GoldMax](https://attack.mitre.org/software/S0588).(Citation: Kaspersky Tomiris Sep 2021)", "modified": "2022-04-15T13:14:08.071Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Tomiris", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-27T19:55:35.688Z", "name": "TEARDROP", "description": "[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["TEARDROP"], "type": "malware", "id": "malware--32f49626-87f4-4d6c-8f59-a0dca953fe26", "created": "2021-01-06T17:34:43.835Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0560", "external_id": "S0560"}, {"source_name": "FireEye SUNBURST Backdoor December 2020", "description": "FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"}, {"source_name": "Microsoft Deep Dive Solorigate January 2021", "description": "MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.", "url": "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows", "Linux"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Zaw Min Htun, @Z3TAE"], "x_mitre_aliases": ["Turian"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--350f12cf-fd3b-4dad-b323-14b943090df4", "type": "malware", "created": "2021-09-21T15:21:31.795Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0647", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0647"}, {"source_name": "ESET BackdoorDiplomacy Jun 2021", "url": "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", "description": "Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021"}], "modified": "2021-10-18T13:19:48.020Z", "name": "Turian", "description": "[Turian](https://attack.mitre.org/software/S0647) is a backdoor that has been used by [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, [Turian](https://attack.mitre.org/software/S0647) is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.(Citation: ESET BackdoorDiplomacy Jun 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:55:51.310Z", "name": "BADHATCH", "description": "[BADHATCH](https://attack.mitre.org/software/S1081) is a backdoor that has been utilized by [FIN8](https://attack.mitre.org/groups/G0061) since at least 2019. [BADHATCH](https://attack.mitre.org/software/S1081) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Serhii Melnyk, Trustwave SpiderLabs"], "x_mitre_aliases": ["BADHATCH"], "type": "malware", "id": "malware--3553b49d-d4ae-4fb6-ab17-0adbc520c888", "created": "2023-08-01T18:07:26.353Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1081", "external_id": "S1081"}, {"source_name": "Gigamon BADHATCH Jul 2019", "description": "Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.", "url": "https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/"}, {"source_name": "BitDefender BADHATCH Mar 2021", "description": "Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-22T04:52:58.843Z", "name": "Machete", "description": "[Machete](https://attack.mitre.org/software/S0409) is a cyber espionage toolset used by [Machete](https://attack.mitre.org/groups/G0095). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.1", "x_mitre_contributors": ["Matias Nicolas Porolli, ESET"], "x_mitre_aliases": ["Machete", "Pyark"], "type": "malware", "id": "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", "created": "2019-09-13T13:17:25.718Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0409", "external_id": "S0409"}, {"source_name": "Pyark", "description": "(Citation: 360 Machete Sep 2020)"}, {"source_name": "Machete", "description": "(Citation: Securelist Machete Aug 2014)"}, {"source_name": "ESET Machete July 2019", "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf"}, {"source_name": "Securelist Machete Aug 2014", "description": "Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.", "url": "https://securelist.com/el-machete/66108/"}, {"source_name": "360 Machete Sep 2020", "description": "kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries \u2014 HpReact campaign. Retrieved November 20, 2020.", "url": "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-28T17:21:55.473Z", "name": "PowerLess", "description": "[PowerLess](https://attack.mitre.org/software/S1012) is a PowerShell-based modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Cybereason PowerLess February 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["PowerLess"], "type": "malware", "id": "malware--35ee9bf3-264b-4411-8a8f-b58cec8f35e4", "created": "2022-06-01T20:20:02.166Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1012", "external_id": "S1012"}, {"source_name": "Cybereason PowerLess February 2022", "description": "Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.", "url": "https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Action RAT"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--36801ffb-5c85-4c50-9121-6122e389366d", "created": "2022-08-07T14:57:28.124Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S1028", "url": "https://attack.mitre.org/software/S1028"}, {"source_name": "MalwareBytes SideCopy Dec 2021", "url": "https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure", "description": "Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."}], "x_mitre_deprecated": false, "revoked": false, "description": "[Action RAT](https://attack.mitre.org/software/S1028) is a remote access tool written in Delphi that has been used by [SideCopy](https://attack.mitre.org/groups/G1008) since at least December 2021 against Indian and Afghani government personnel.(Citation: MalwareBytes SideCopy Dec 2021)", "modified": "2022-08-24T16:33:12.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Action RAT", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:56:34.181Z", "name": "Avenger", "description": "[Avenger](https://attack.mitre.org/software/S0473) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Avenger"], "type": "malware", "id": "malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8", "created": "2020-06-11T15:24:48.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0473", "external_id": "S0473"}, {"source_name": "Trend Micro Tick November 2019", "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.", "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:25:44.638Z", "name": "Prikormka", "description": "[Prikormka](https://attack.mitre.org/software/S0113) is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.4", "x_mitre_aliases": ["Prikormka"], "type": "malware", "id": "malware--37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "created": "2017-05-31T21:33:07.943Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0113", "external_id": "S0113"}, {"source_name": "ESET Operation Groundbait", "description": "Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.", "url": "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-24T18:51:58.072Z", "name": "PingPull", "description": "[PingPull](https://attack.mitre.org/software/S1031) is a remote access Trojan (RAT) written in Visual C++ that has been used by [GALLIUM](https://attack.mitre.org/groups/G0093) since at least June 2022. [PingPull](https://attack.mitre.org/software/S1031) has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.(Citation: Unit 42 PingPull Jun 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Yoshihiro Kori, NEC Corporation", "Pooja Natarajan, NEC Corporation India", "Manikantan Srinivasan, NEC Corporation India"], "x_mitre_aliases": ["PingPull"], "type": "malware", "id": "malware--3a0f6128-0a01-421d-8eca-e57d8671b1f1", "created": "2022-08-09T18:21:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1031", "external_id": "S1031"}, {"source_name": "Unit 42 PingPull Jun 2022", "description": "Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.", "url": "https://unit42.paloaltonetworks.com/pingpull-gallium/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.0.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Daniyal Naeem, BT Security"], "x_mitre_aliases": ["WellMess"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", "type": "malware", "created": "2020-09-24T19:39:44.392Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0514", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0514"}, {"source_name": "CISA WellMess July 2020", "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020."}, {"source_name": "PWC WellMess July 2020", "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020."}, {"source_name": "NCSC APT29 July 2020", "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020."}], "modified": "2021-03-22T18:45:19.504Z", "name": "WellMess", "description": "[WellMess](https://attack.mitre.org/software/S0514) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://attack.mitre.org/groups/G0016).(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:43:00.252Z", "name": "Dacls", "description": "[Dacls](https://attack.mitre.org/software/S0497) is a multi-platform remote access tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020)", "x_mitre_platforms": ["macOS", "Linux", "Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Dacls"], "type": "malware", "id": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", "created": "2020-08-07T14:53:56.534Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0497", "external_id": "S0497"}, {"source_name": "TrendMicro macOS Dacls May 2020", "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/"}, {"source_name": "SentinelOne Lazarus macOS July 2020", "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020.", "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["DropBook"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--3ae6097d-d700-46c6-8b21-42fc0bcb48fa", "type": "malware", "created": "2020-12-22T18:36:12.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0547", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0547"}, {"source_name": "DropBook", "description": "(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)"}, {"source_name": "Cybereason Molerats Dec 2020", "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "description": "Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."}, {"source_name": "BleepingComputer Molerats Dec 2020", "url": "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/", "description": "Ilascu, I. (2020, December 14). Hacking group\u2019s new malware abuses Google and Facebook services. Retrieved December 28, 2020."}], "modified": "2021-08-18T23:44:04.697Z", "name": "DropBook", "description": "[DropBook](https://attack.mitre.org/software/S0547) is a Python-based backdoor compiled with PyInstaller.(Citation: Cybereason Molerats Dec 2020)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T20:34:14.166Z", "name": "Woody RAT", "description": " [Woody RAT](https://attack.mitre.org/software/S1065) is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Yoshihiro Kori, NEC Corporation", "Pooja Natarajan, NEC Corporation India", "Manikantan Srinivasan, NEC Corporation India", "Adam Lichters"], "x_mitre_aliases": ["Woody RAT"], "type": "malware", "id": "malware--3bc7e862-5610-4c02-9c48-15b2e2dc1ddb", "created": "2023-02-14T16:52:39.925Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1065", "external_id": "S1065"}, {"source_name": "MalwareBytes WoodyRAT Aug 2022", "description": "MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.", "url": "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:49:47.226Z", "name": "Mafalda", "description": "[Mafalda](https://attack.mitre.org/software/S1060) is a flexible interactive implant that has been used by [Metador](https://attack.mitre.org/groups/G1013). Security researchers assess the [Mafalda](https://attack.mitre.org/software/S1060) name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Massimiliano Romano, BT Security"], "x_mitre_aliases": ["Mafalda"], "type": "malware", "id": "malware--3be1fb7a-0f7e-415e-8e3a-74a80d596e68", "created": "2023-01-26T01:21:43.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1060", "external_id": "S1060"}, {"source_name": "SentinelLabs Metador Sept 2022", "description": "Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.", "url": "https://assets.sentinelone.com/sentinellabs22/metador#page=1"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["KARAE"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0215", "external_id": "S0215"}, {"source_name": "KARAE", "description": "(Citation: FireEye APT37 Feb 2018)"}, {"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", "source_name": "FireEye APT37 Feb 2018"}], "modified": "2020-03-30T16:52:22.775Z", "name": "KARAE", "description": "[KARAE](https://attack.mitre.org/software/S0215) is a backdoor typically used by [APT37](https://attack.mitre.org/groups/G0067) as first-stage malware. (Citation: FireEye APT37 Feb 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:02:15.805Z", "name": "Squirrelwaffle", "description": "[Squirrelwaffle](https://attack.mitre.org/software/S1030) is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as [Cobalt Strike](https://attack.mitre.org/software/S0154) and the [QakBot](https://attack.mitre.org/software/S0650) banking trojan.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Sebastian Showell-Westrip, BT Security", "Harry Hill, BT Security", "Catherine Williams, BT Security"], "x_mitre_aliases": ["Squirrelwaffle"], "type": "malware", "id": "malware--3c18ad16-9eaf-4649-984e-68551bff0d47", "created": "2022-08-09T16:45:36.234Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1030", "external_id": "S1030"}, {"source_name": "ZScaler Squirrelwaffle Sep 2021", "description": "Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.", "url": "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike"}, {"source_name": "Netskope Squirrelwaffle Oct 2021", "description": "Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.", "url": "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["ELMER"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "created": "2017-05-31T21:32:43.237Z", "x_mitre_version": "1.1", "external_references": [{"source_name": "mitre-attack", "external_id": "S0064", "url": "https://attack.mitre.org/software/S0064"}, {"source_name": "FireEye EPS Awakens Part 2", "url": "https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", "description": "Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016."}], "x_mitre_deprecated": false, "revoked": false, "description": "[ELMER](https://attack.mitre.org/software/S0064) is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by [APT16](https://attack.mitre.org/groups/G0023). (Citation: FireEye EPS Awakens Part 2)", "modified": "2022-07-26T23:33:26.355Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "ELMER", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-26T19:42:34.359Z", "name": "PolyglotDuke", "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["PolyglotDuke"], "type": "malware", "id": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", "created": "2020-09-23T15:42:59.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0518", "external_id": "S0518"}, {"source_name": "ESET Dukes October 2019", "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Linux"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Umbreon"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--3d8e547d-9456-4f32-a895-dc86134e282f", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0221", "external_id": "S0221"}, {"source_name": "Umbreon", "description": "(Citation: Umbreon Trend Micro)"}, {"source_name": "Umbreon Trend Micro", "description": "Fernando Merc\u00eas. (2016, September 5). Pok\u00e9mon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046"}], "modified": "2020-07-01T18:32:47.285Z", "name": "Umbreon", "description": "A Linux rootkit that provides backdoor access and hides from defenders.", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["AuTo Stealer"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5", "created": "2022-08-07T15:31:14.540Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S1029", "url": "https://attack.mitre.org/software/S1029"}, {"source_name": "MalwareBytes SideCopy Dec 2021", "url": "https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure", "description": "Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."}], "x_mitre_deprecated": false, "revoked": false, "description": "[AuTo Stealer](https://attack.mitre.org/software/S1029) is malware written in C++ has been used by [SideCopy](https://attack.mitre.org/groups/G1008) since at least December 2021 to target government agencies and personnel in India and Afghanistan.(Citation: MalwareBytes SideCopy Dec 2021)", "modified": "2022-08-24T16:37:25.008Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "AuTo Stealer", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:18:41.342Z", "name": "Hildegard", "description": "[Hildegard](https://attack.mitre.org/software/S0601) is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind [Hildegard](https://attack.mitre.org/software/S0601). (Citation: Unit 42 Hildegard Malware)", "x_mitre_platforms": ["Linux", "Containers", "IaaS"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_aliases": ["Hildegard"], "type": "malware", "id": "malware--40a1b8ec-7295-416c-a6b1-68181d86f120", "created": "2021-04-07T18:07:47.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0601", "external_id": "S0601"}, {"source_name": "Unit 42 Hildegard Malware", "description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.", "url": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Agent.btz"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--40d3e230-ed32-469f-ba89-be70cc08ab39", "type": "malware", "created": "2017-05-31T21:32:59.153Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0092", "external_id": "S0092"}, {"url": "https://securelist.com/agent-btz-a-source-of-inspiration/58551/", "description": "Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.", "source_name": "Securelist Agent.btz"}], "modified": "2020-03-30T14:50:51.213Z", "name": "Agent.btz", "description": "[Agent.btz](https://attack.mitre.org/software/S0092) is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SLOWDRIFT"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--414dc555-c79e-4b24-a2da-9b607f7eaf16", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0218", "external_id": "S0218"}, {"source_name": "SLOWDRIFT", "description": "(Citation: FireEye APT37 Feb 2018)"}, {"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", "source_name": "FireEye APT37 Feb 2018"}], "modified": "2020-03-30T18:10:33.691Z", "name": "SLOWDRIFT", "description": "[SLOWDRIFT](https://attack.mitre.org/software/S0218) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) against academic and strategic victims in South Korea. (Citation: FireEye APT37 Feb 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--4189a679-72ed-4a89-a57c-7f689712ecf8", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0217", "external_id": "S0217"}, {"source_name": "SHUTTERSPEED", "description": "(Citation: FireEye APT37 Feb 2018)"}, {"source_name": "FireEye APT37 Feb 2018", "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"}], "modified": "2018-10-17T00:14:20.652Z", "name": "SHUTTERSPEED", "description": "[SHUTTERSPEED](https://attack.mitre.org/software/S0217) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-05T16:33:54.170Z", "name": "SombRAT", "description": "[SombRAT](https://attack.mitre.org/software/S0615) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://attack.mitre.org/software/S0618) ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["SombRAT"], "type": "malware", "id": "malware--425771c5-48b4-4ecd-9f95-74ed3fc9da59", "created": "2021-05-26T13:13:43.366Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0615", "external_id": "S0615"}, {"source_name": "CISA AR21-126A FIVEHANDS May 2021", "description": "CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.", "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a"}, {"source_name": "FireEye FiveHands April 2021", "description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"}, {"source_name": "BlackBerry CostaRicto November 2020", "description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.", "url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:32:31.883Z", "name": "FlawedGrace", "description": "[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["FlawedGrace"], "type": "malware", "id": "malware--43155329-3edf-47a6-9a14-7dac899b01e4", "created": "2019-05-29T14:33:04.253Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0383", "external_id": "S0383"}, {"source_name": "Proofpoint TA505 Jan 2019", "description": "Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.", "url": "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["FLASHFLOOD"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--43213480-78f7-4fb3-976f-d48f5f6a4c2a", "type": "malware", "created": "2017-05-31T21:32:28.754Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0036", "external_id": "S0036"}, {"url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", "source_name": "FireEye APT30"}], "modified": "2020-03-30T02:54:51.882Z", "name": "FLASHFLOOD", "description": "[FLASHFLOOD](https://attack.mitre.org/software/S0036) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["FlawedAmmyy"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--432555de-63bf-4f2a-a3fa-f720a4561078", "created": "2019-05-28T19:07:29.816Z", "x_mitre_version": "1.2", "external_references": [{"source_name": "mitre-attack", "external_id": "S0381", "url": "https://attack.mitre.org/software/S0381"}, {"source_name": "Proofpoint TA505 Mar 2018", "url": "https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware", "description": "Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019."}], "x_mitre_deprecated": false, "revoked": false, "description": "[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)", "modified": "2022-07-18T15:59:26.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "FlawedAmmyy", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-10T17:18:52.857Z", "name": "Snip3", "description": "[Snip3](https://attack.mitre.org/software/S1086) is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including [AsyncRAT](https://attack.mitre.org/software/S1087), [Revenge RAT](https://attack.mitre.org/software/S0379), [Agent Tesla](https://attack.mitre.org/software/S0331), and [NETWIRE](https://attack.mitre.org/software/S0198).(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Aaron Jornet"], "x_mitre_aliases": ["Snip3"], "type": "malware", "id": "malware--4327aff5-f194-440c-b499-4d9730cc1eab", "created": "2023-09-13T18:52:15.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1086", "external_id": "S1086"}, {"source_name": "Telefonica Snip3 December 2021", "description": "Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.", "url": "https://telefonicatech.com/blog/snip3-investigacion-malware"}, {"source_name": "Morphisec Snip3 May 2021", "description": "Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.", "url": "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["FYAnti", "DILLJUICE stage2"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--434ba392-ebdc-488b-b1ef-518deea65774", "type": "malware", "created": "2021-06-22T14:20:30.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0628", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0628"}, {"source_name": "DILLJUICE stage2", "description": "(Citation: Securelist APT10 March 2021)"}, {"source_name": "Securelist APT10 March 2021", "url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/", "description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021."}], "modified": "2021-10-11T15:57:36.797Z", "name": "FYAnti", "description": "[FYAnti](https://attack.mitre.org/software/S0628) is a loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2020, including to deploy [QuasarRAT](https://attack.mitre.org/software/S0262).(Citation: Securelist APT10 March 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:14:59.199Z", "name": "Rifdoor", "description": "[Rifdoor](https://attack.mitre.org/software/S0433) is a remote access trojan (RAT) that shares numerous code similarities with [HotCroissant](https://attack.mitre.org/software/S0431).(Citation: Carbon Black HotCroissant April 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Rifdoor"], "type": "malware", "id": "malware--44c75271-0e4d-496f-ae0a-a6d883a42a65", "created": "2020-05-05T14:03:11.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0433", "external_id": "S0433"}, {"source_name": "Carbon Black HotCroissant April 2020", "description": "Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.", "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-04T21:50:36.241Z", "name": "SUGARUSH", "description": "[SUGARUSH](https://attack.mitre.org/software/S1049) is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. [SUGARUSH](https://attack.mitre.org/software/S1049) was first identified during analysis of UNC3890's [C0010](https://attack.mitre.org/campaigns/C0010) campaign targeting Israeli companies, which began in late 2020.(Citation: Mandiant UNC3890 Aug 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["SUGARUSH"], "type": "malware", "id": "malware--44e2a842-415b-47f4-8549-83fbdb8a5674", "created": "2022-10-04T21:48:00.086Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1049", "external_id": "S1049"}, {"source_name": "Mandiant UNC3890 Aug 2022", "description": "Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.", "url": "https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-01-19T21:09:35.017Z", "name": "LoFiSe", "description": "[LoFiSe](https://attack.mitre.org/software/S1101) has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to identify and collect files of interest on targeted systems.(Citation: Kaspersky ToddyCat Check Logs October 2023)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["LoFiSe"], "type": "malware", "id": "malware--452da2d9-706c-4185-ad6f-f5edaf4b9f48", "created": "2024-01-19T21:08:29.427Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1101", "external_id": "S1101"}, {"source_name": "Kaspersky ToddyCat Check Logs October 2023", "description": "Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.", "url": "https://securelist.com/toddycat-keep-calm-and-check-logs/110696/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-02-09T19:24:50.164Z", "name": "HOPLIGHT", "description": "[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["HOPLIGHT"], "type": "malware", "id": "malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369", "created": "2019-04-19T15:30:36.593Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0376", "external_id": "S0376"}, {"source_name": "HOPLIGHT", "description": "(Citation: US-CERT HOPLIGHT Apr 2019)"}, {"source_name": "US-CERT HOPLIGHT Apr 2019", "description": "US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.", "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Eli Salem, @elisalem9"], "x_mitre_aliases": ["GuLoader"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--45c759ac-b490-48bb-80d4-c8eee3431027", "type": "malware", "created": "2021-01-11T20:49:20.832Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0561", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0561"}, {"source_name": "Unit 42 NETWIRE April 2020", "url": "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "description": "Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021."}, {"source_name": "Medium Eli Salem GuLoader April 2021", "url": "https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4", "description": "Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021."}], "modified": "2021-10-15T19:14:33.244Z", "name": "GuLoader", "description": "[GuLoader](https://attack.mitre.org/software/S0561) is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including [NETWIRE](https://attack.mitre.org/software/S0198), [Agent Tesla](https://attack.mitre.org/software/S0331), [NanoCore](https://attack.mitre.org/software/S0336), FormBook, and Parallax RAT.(Citation: Unit 42 NETWIRE April 2020)(Citation: Medium Eli Salem GuLoader April 2021)", "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--463f68f1-5cde-4dc2-a831-68b73488f8f4", "type": "malware", "created": "2017-05-31T21:32:53.681Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0079", "external_id": "S0079"}, {"source_name": "Scarlet Mimic Jan 2016", "description": "Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"}], "modified": "2018-10-17T00:14:20.652Z", "name": "MobileOrder", "description": "[MobileOrder](https://attack.mitre.org/software/S0079) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-03-25T19:46:59.150Z", "name": "WastedLocker", "description": "[WastedLocker](https://attack.mitre.org/software/S0612) is a ransomware family attributed to [Indrik Spider](https://attack.mitre.org/groups/G0119) that has been used since at least May 2020. [WastedLocker](https://attack.mitre.org/software/S0612) has been used against a broad variety of sectors, including manufacturing, information technology, and media.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020) ", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Daniyal Naeem, BT Security"], "x_mitre_aliases": ["WastedLocker"], "type": "malware", "id": "malware--46cbafbc-8907-42d3-9002-5327c26f8927", "created": "2021-05-20T17:44:26.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0612", "external_id": "S0612"}, {"source_name": "WastedLocker", "description": "(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020) "}, {"source_name": "NCC Group WastedLocker June 2020", "description": "Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.", "url": "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"}, {"source_name": "Symantec WastedLocker June 2020", "description": "Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us"}, {"source_name": "Sentinel Labs WastedLocker July 2020", "description": "Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.", "url": "https://www.sentinelone.com/labs/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-24T21:24:58.468Z", "name": "RegDuke", "description": "[RegDuke](https://attack.mitre.org/software/S0511) is a first stage implant written in .NET and used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2017. [RegDuke](https://attack.mitre.org/software/S0511) has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["RegDuke"], "type": "malware", "id": "malware--47124daf-44be-4530-9c63-038bc64318dd", "created": "2020-09-23T18:04:24.998Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0511", "external_id": "S0511"}, {"source_name": "ESET Dukes October 2019", "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["ProLock"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--471d0e9f-2c8a-4e4b-8f3b-f85d2407806e", "type": "malware", "created": "2021-09-30T19:47:47.136Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0654", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0654"}, {"source_name": "Group IB Ransomware September 2020", "url": "https://groupib.pathfactory.com/ransomware-reports/prolock_wp", "description": "Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021."}], "modified": "2021-10-15T21:35:09.832Z", "name": "ProLock", "description": "[ProLock](https://attack.mitre.org/software/S0654) is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with [QakBot](https://attack.mitre.org/software/S0650). [ProLock](https://attack.mitre.org/software/S0654) is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.(Citation: Group IB Ransomware September 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["ESET"], "x_mitre_aliases": ["InvisiMole"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0260", "external_id": "S0260"}, {"source_name": "InvisiMole", "description": "(Citation: ESET InvisiMole June 2018)"}, {"url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", "source_name": "ESET InvisiMole June 2018"}, {"source_name": "ESET InvisiMole June 2020", "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020."}], "modified": "2021-11-29T12:41:28.009Z", "name": "InvisiMole", "description": "[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Linux", "Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["P.A.S. Webshell", "Fobushell"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--4800d0f9-00aa-47cd-a4d2-92198585b8fd", "type": "malware", "created": "2021-04-13T12:46:58.579Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0598", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0598"}, {"source_name": "Fobushell", "description": "(Citation: NCCIC AR-17-20045 February 2017)"}, {"source_name": "ANSSI Sandworm January 2021", "url": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "description": "ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021."}, {"source_name": "NCCIC AR-17-20045 February 2017", "url": "https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "description": "NCCIC. (2017, February 10). Enhanced Analysis of GRIZZLY STEPPE Activity. Retrieved April 12, 2021."}], "modified": "2021-04-13T13:10:36.820Z", "name": "P.A.S. Webshell", "description": "[P.A.S. Webshell](https://attack.mitre.org/software/S0598) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-02T21:29:35.492Z", "name": "QUIETEXIT", "description": "[QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)", "x_mitre_platforms": ["Network"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Joe Gumke, U.S. Bank"], "x_mitre_aliases": ["QUIETEXIT"], "type": "malware", "id": "malware--4816d361-f82b-4a18-aa05-b215e7cf9200", "created": "2023-08-17T17:06:19.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1084", "external_id": "S1084"}, {"source_name": "Mandiant APT29 Eye Spy Email Nov 22", "description": "Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.", "url": "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Naid"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--48523614-309e-43bf-a2b8-705c2b45d7b2", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0205", "external_id": "S0205"}, {"source_name": "Naid", "description": "(Citation: Symantec Naid June 2012)"}, {"source_name": "Symantec Naid June 2012", "description": "Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.", "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99"}, {"url": "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "description": "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", "source_name": "Symantec Elderwood Sept 2012"}], "modified": "2021-01-06T19:32:28.371Z", "name": "Naid", "description": "[Naid](https://attack.mitre.org/software/S0205) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:16:05.440Z", "name": "Volgmer", "description": "[Volgmer](https://attack.mitre.org/software/S0180) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["Volgmer"], "type": "malware", "id": "malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0180", "external_id": "S0180"}, {"source_name": "Volgmer", "description": "(Citation: US-CERT Volgmer Nov 2017) (Citation: US-CERT Volgmer 2 Nov 2017) (Citation: Symantec Volgmer Aug 2014)"}, {"source_name": "US-CERT Volgmer 2 Nov 2017", "description": "US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.", "url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF"}, {"source_name": "US-CERT Volgmer Nov 2017", "description": "US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA \u2013 North Korean Trojan: Volgmer. Retrieved December 7, 2017.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-318B"}, {"source_name": "Symantec Volgmer Aug 2014", "description": "Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.", "url": "https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--49abab73-3c5c-476e-afd5-69b5c732d845", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0219", "external_id": "S0219"}, {"source_name": "WINERACK", "description": "(Citation: FireEye APT37 Feb 2018)"}, {"source_name": "FireEye APT37 Feb 2018", "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"}], "modified": "2018-10-17T00:14:20.652Z", "name": "WINERACK", "description": "[WINERACK](https://attack.mitre.org/software/S0219) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:13:49.349Z", "name": "WhisperGate", "description": "[WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_contributors": ["Phill Taylor, BT Security", "Matt Brenton, Zurich Global Information Security"], "x_mitre_aliases": ["WhisperGate"], "type": "malware", "id": "malware--49fee0b0-390e-4bde-97f8-97ed46bd19b7", "created": "2022-03-10T16:42:36.137Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0689", "external_id": "S0689"}, {"source_name": "Cybereason WhisperGate February 2022", "description": "Cybereason Nocturnus. (2022, February 15). Cybereason vs. WhisperGate and HermeticWiper. Retrieved March 10, 2022.", "url": "https://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper"}, {"source_name": "Unit 42 WhisperGate January 2022", "description": "Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.", "url": "https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/#whispergate-malware-family"}, {"source_name": "Microsoft WhisperGate January 2022", "description": "MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.", "url": "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-22T03:55:46.184Z", "name": "FruitFly", "description": "FruitFly is designed to spy on mac users (Citation: objsee mac malware 2017).", "x_mitre_platforms": ["macOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["FruitFly"], "type": "malware", "id": "malware--4a98e44a-bd52-461e-af1e-a4457de87a36", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0277", "external_id": "S0277"}, {"source_name": "FruitFly", "description": "(Citation: objsee mac malware 2017)."}, {"source_name": "objsee mac malware 2017", "description": "Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.", "url": "https://objective-see.com/blog/blog_0x25.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T20:32:14.510Z", "name": "ZeroT", "description": "[ZeroT](https://attack.mitre.org/software/S0230) is a Trojan used by [TA459](https://attack.mitre.org/groups/G0062), often in conjunction with [PlugX](https://attack.mitre.org/software/S0013). (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["ZeroT"], "type": "malware", "id": "malware--4ab44516-ad75-4e43-a280-705dc0420e2f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0230", "external_id": "S0230"}, {"source_name": "ZeroT", "description": "(Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)"}, {"source_name": "Proofpoint TA459 April 2017", "description": "Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.", "url": "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts"}, {"source_name": "Proofpoint ZeroT Feb 2017", "description": "Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.", "url": "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-01-10T15:18:40.400Z", "name": "Keydnap", "description": "This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor (Citation: OSX Keydnap malware).", "x_mitre_platforms": ["macOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Keydnap", "OSX/Keydnap"], "type": "malware", "id": "malware--4b072c90-bc7a-432b-940e-016fc1c01761", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0276", "external_id": "S0276"}, {"source_name": "OSX/Keydnap", "description": "(Citation: OSX Keydnap malware)"}, {"source_name": "Keydnap", "description": "(Citation: synack 2016 review)"}, {"source_name": "OSX Keydnap malware", "description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.", "url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"}, {"source_name": "synack 2016 review", "description": "Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.", "url": "https://objective-see.org/blog/blog_0x16.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["RDAT"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", "type": "malware", "created": "2020-07-28T17:26:36.168Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0495", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0495"}, {"source_name": "Unit42 RDAT July 2020", "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020."}], "modified": "2020-10-15T23:59:45.815Z", "name": "RDAT", "description": "[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Hacking Team UEFI Rootkit"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--4b62ab58-c23b-4704-9c15-edd568cd59f8", "type": "malware", "created": "2017-05-31T21:32:35.389Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0047", "external_id": "S0047"}, {"source_name": "TrendMicro Hacking Team UEFI", "description": "Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/"}], "modified": "2020-03-30T16:48:12.607Z", "name": "Hacking Team UEFI Rootkit", "description": "[Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:06:31.222Z", "name": "Skidmap", "description": "[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)", "x_mitre_platforms": ["Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Skidmap"], "type": "malware", "id": "malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0", "created": "2020-06-09T21:23:38.995Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0468", "external_id": "S0468"}, {"source_name": "Trend Micro Skidmap", "description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["ESET"], "x_mitre_aliases": ["Okrum"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83", "type": "malware", "created": "2020-05-06T21:12:31.535Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0439", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0439"}, {"source_name": "ESET Okrum July 2019", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf", "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."}], "modified": "2020-05-14T21:17:53.756Z", "name": "Okrum", "description": "[Okrum](https://attack.mitre.org/software/S0439) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://attack.mitre.org/groups/G0004).(Citation: ESET Okrum July 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-01T02:47:21.211Z", "name": "Regin", "description": "[Regin](https://attack.mitre.org/software/S0019) is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some [Regin](https://attack.mitre.org/software/S0019) timestamps date back to 2003. (Citation: Kaspersky Regin)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Regin"], "type": "malware", "id": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0", "created": "2017-05-31T21:32:17.959Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0019", "external_id": "S0019"}, {"source_name": "Kaspersky Regin", "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.", "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Linux"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Bonadan"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", "type": "malware", "created": "2020-07-16T14:59:40.051Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0486", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0486"}, {"source_name": "ESET ForSSHe December 2018", "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020."}], "modified": "2020-08-10T19:17:14.766Z", "name": "Bonadan", "description": "[Bonadan](https://attack.mitre.org/software/S0486) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://attack.mitre.org/software/S0486) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:09:42.414Z", "name": "SamSam", "description": "[SamSam](https://attack.mitre.org/software/S0370) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["SamSam", "Samas"], "type": "malware", "id": "malware--4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", "created": "2019-04-15T19:40:07.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0370", "external_id": "S0370"}, {"source_name": "Sophos SamSam Apr 2018", "description": " Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.", "url": "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf"}, {"source_name": "Samas", "description": "(Citation: US-CERT SamSam 2018)"}, {"source_name": "Symantec SamSam Oct 2018", "description": "Symantec Security Response Attack Investigation Team. (2018, October 30). SamSam: Targeted Ransomware Attacks Continue. Retrieved April 16, 2019.", "url": "https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks"}, {"source_name": "US-CERT SamSam 2018", "description": "US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/AA18-337A"}, {"source_name": "Talos SamSam Jan 2018", "description": "Ventura, V. (2018, January 22). SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks. Retrieved April 16, 2019.", "url": "https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Neoichor"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--4d7bf2ac-f953-4907-b114-be44dc174d67", "created": "2022-03-22T17:22:38.233Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S0691", "url": "https://attack.mitre.org/software/S0691"}, {"source_name": "Microsoft NICKEL December 2021", "url": "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe", "description": "MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."}], "x_mitre_deprecated": false, "revoked": false, "description": "[Neoichor](https://attack.mitre.org/software/S0691) is C2 malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021)", "modified": "2022-04-11T19:34:18.904Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Neoichor", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-08-09T18:13:14.416Z", "name": "Conti", "description": "[Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://attack.mitre.org/software/S0575) has been deployed via [TrickBot](https://attack.mitre.org/software/S0266) and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://attack.mitre.org/software/S0575) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.2", "x_mitre_contributors": ["Daniyal Naeem, BT Security"], "x_mitre_aliases": ["Conti"], "type": "malware", "id": "malware--4dea7d8e-af94-4bfb-afe4-7ff54f59308b", "created": "2021-02-17T18:51:57.710Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0575", "external_id": "S0575"}, {"source_name": "Conti", "description": "(Citation: CarbonBlack Conti July 2020)(Citation: Cybereason Conti Jan 2021)"}, {"source_name": "CarbonBlack Conti July 2020", "description": "Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.", "url": "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/"}, {"source_name": "Cybleinc Conti January 2020", "description": "Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021.", "url": "https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/"}, {"source_name": "Cybereason Conti Jan 2021", "description": "Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.", "url": "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-18T14:15:33.229Z", "name": "Mispadu", "description": "[Mispadu](https://attack.mitre.org/software/S1122) is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021) This malware is operated, managed, and sold by the [Malteiro](https://attack.mitre.org/groups/G1026) cybercriminal group.(Citation: SCILabs Malteiro 2021) [Mispadu](https://attack.mitre.org/software/S1122) has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.(Citation: SCILabs Malteiro 2021)(Citation: SCILabs URSA/Mispadu Evolution 2023)(Citation: Seguran\u00e7a Inform\u00e1tica URSA Sophisticated Loader 2020) ", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["SCILabs"], "x_mitre_aliases": ["Mispadu"], "type": "malware", "id": "malware--4e6464d2-69df-4e56-8d4c-1973f84d7b80", "created": "2024-03-13T20:59:22.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1122", "external_id": "S1122"}, {"source_name": "ESET Security Mispadu Facebook Ads 2019", "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.", "url": "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/"}, {"source_name": "Seguran\u00e7a Inform\u00e1tica URSA Sophisticated Loader 2020", "description": "Pedro Tavares (Seguran\u00e7a Inform\u00e1tica). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.", "url": "https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/"}, {"source_name": "SCILabs Malteiro 2021", "description": "SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.", "url": "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/"}, {"source_name": "SCILabs URSA/Mispadu Evolution 2023", "description": "SCILabs. (2023, May 23). Evolution of banking trojan URSA/Mispadu. Retrieved March 13, 2024.", "url": "https://blog.scilabs.mx/en/evolution-of-banking-trojan-ursa-mispadu/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["RemoteCMD"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--4e6b9625-bbda-4d96-a652-b3bb45453f26", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0166", "external_id": "S0166"}, {"url": "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "description": "Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.", "source_name": "Symantec Buckeye"}], "modified": "2020-03-31T12:40:01.208Z", "name": "RemoteCMD", "description": "[RemoteCMD](https://attack.mitre.org/software/S0166) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to execute commands on a remote system similar to SysInternal's PSEXEC functionality. (Citation: Symantec Buckeye)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-12-04T20:15:22.258Z", "name": "Diavol", "description": "[Diavol](https://attack.mitre.org/software/S0659) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The [Diavol](https://attack.mitre.org/software/S0659) Ransomware-as-a Service (RaaS) program is managed by [Wizard Spider](https://attack.mitre.org/groups/G0102) and it has been observed being deployed by [Bazar](https://attack.mitre.org/software/S0534).(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diavol Ransomware December 2021)(Citation: Microsoft Ransomware as a Service)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.0", "x_mitre_contributors": ["Massimiliano Romano, BT Security"], "x_mitre_aliases": ["Diavol"], "type": "malware", "id": "malware--4e9bdf9a-4957-47f6-87b3-c76898d3f623", "created": "2021-11-12T19:02:16.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0659", "external_id": "S0659"}, {"source_name": "Diavol", "description": "(Citation: Fortinet Diavol July 2021)"}, {"source_name": "DFIR Diavol Ransomware December 2021", "description": "DFIR Report. (2021, December 13). Diavol Ransomware. Retrieved March 9, 2022.", "url": "https://thedfirreport.com/2021/12/13/diavol-ransomware/"}, {"source_name": "FBI Flash Diavol January 2022", "description": "FBI. (2022, January 19). Indicators of Compromise Associated with Diavol. Retrieved March 9, 2022.", "url": "https://www.ic3.gov/Media/News/2022/220120.pdf"}, {"source_name": "Microsoft Ransomware as a Service", "description": "Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.", "url": "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"}, {"source_name": "Fortinet Diavol July 2021", "description": "Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.", "url": "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:23:21.599Z", "name": "Raindrop", "description": "[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["Raindrop"], "type": "malware", "id": "malware--4efc3e00-72f2-466a-ab7c-8a7dc6603b19", "created": "2021-01-19T19:43:27.828Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0565", "external_id": "S0565"}, {"source_name": "Raindrop", "description": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware"}, {"source_name": "Microsoft Deep Dive Solorigate January 2021", "description": "MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.", "url": "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"}, {"source_name": "Symantec RAINDROP January 2021", "description": "Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Linux", "Containers"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_aliases": ["Doki"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--4f1c389e-a80e-4a3e-9b0e-9be8c91df64f", "type": "malware", "created": "2021-04-06T15:53:34.722Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0600", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0600"}, {"source_name": "Intezer Doki July 20", "url": "https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/", "description": "Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021."}], "modified": "2021-04-19T17:45:07.102Z", "name": "Doki", "description": "[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["TEXTMATE", "DNSMessenger"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", "created": "2017-05-31T21:33:25.209Z", "x_mitre_version": "1.1", "external_references": [{"source_name": "mitre-attack", "external_id": "S0146", "url": "https://attack.mitre.org/software/S0146"}, {"source_name": "TEXTMATE", "description": "(Citation: FireEye FIN7 March 2017)"}, {"source_name": "DNSMessenger", "description": "Based on similar descriptions of functionality, it appears S0146, as named by FireEye, is the same as Stage 4 of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. (Citation: Cisco DNSMessenger March 2017) (Citation: FireEye FIN7 March 2017)"}, {"source_name": "Cisco DNSMessenger March 2017", "url": "http://blog.talosintelligence.com/2017/03/dnsmessenger.html", "description": "Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017."}, {"source_name": "FireEye FIN7 March 2017", "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017."}], "x_mitre_deprecated": false, "revoked": false, "description": "[TEXTMATE](https://attack.mitre.org/software/S0146) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://attack.mitre.org/software/S0145) in February 2017. (Citation: FireEye FIN7 March 2017)", "modified": "2022-07-20T20:06:44.708Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "TEXTMATE", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows", "Containers"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Daniel Prizmant, Palo Alto Networks", "Yuval Avrahami, Palo Alto Networks"], "x_mitre_aliases": ["Siloscape"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--4fbd565b-bf55-4ac7-80b4-b183a7b64b9c", "type": "malware", "created": "2021-06-18T15:26:55.509Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0623", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0623"}, {"source_name": "Unit 42 Siloscape Jun 2021", "url": "https://unit42.paloaltonetworks.com/siloscape/", "description": "Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021."}], "modified": "2021-10-18T13:42:10.432Z", "name": "Siloscape", "description": "[Siloscape](https://attack.mitre.org/software/S0623) is malware that targets Kubernetes clusters through Windows containers. [Siloscape](https://attack.mitre.org/software/S0623) was first observed in March 2021.(Citation: Unit 42 Siloscape Jun 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-06-15T18:33:45.154Z", "name": "BlackCat", "description": "[BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)(Citation: ACSC BlackCat Apr 2022)", "x_mitre_platforms": ["Linux", "Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Hiroki Nagahama, NEC Corporation", "Josh Arenas, Trustwave Spiderlabs", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India"], "x_mitre_aliases": ["BlackCat", "ALPHV", "Noberus"], "type": "malware", "id": "malware--50c44c34-3abb-48ae-9433-a2337de5b0bc", "created": "2023-02-28T20:50:36.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1068", "external_id": "S1068"}, {"source_name": "Noberus", "description": "(Citation: ACSC BlackCat Apr 2022)"}, {"source_name": "ALPHV", "description": "(Citation: Microsoft BlackCat Jun 2022)(Citation: ACSC BlackCat Apr 2022)"}, {"source_name": "ACSC BlackCat Apr 2022", "description": "Australian Cyber Security Centre. (2022, April 14). 2022-004: ACSC Ransomware Profile - ALPHV (aka BlackCat). Retrieved December 20, 2022.", "url": "https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat"}, {"source_name": "Sophos BlackCat Jul 2022", "description": "Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022.", "url": "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/"}, {"source_name": "Microsoft BlackCat Jun 2022", "description": "Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.", "url": "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:29:45.766Z", "name": "Fysbis", "description": "[Fysbis](https://attack.mitre.org/software/S0410) is a Linux-based backdoor used by [APT28](https://attack.mitre.org/groups/G0007) that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis)", "x_mitre_platforms": ["Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.4", "x_mitre_aliases": ["Fysbis"], "type": "malware", "id": "malware--50d6688b-0985-4f3d-8cbe-0c796b30703b", "created": "2019-09-12T17:40:38.303Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0410", "external_id": "S0410"}, {"source_name": "Fysbis Palo Alto Analysis", "description": "Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy\u2019s Linux Backdoor. Retrieved September 10, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:16:08.503Z", "name": "IcedID", "description": "[IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["IcedID"], "type": "malware", "id": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "created": "2020-07-15T17:55:11.252Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0483", "external_id": "S0483"}, {"source_name": "IBM IcedID November 2017", "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.", "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/"}, {"source_name": "Juniper IcedID June 2020", "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.", "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:17:02.480Z", "name": "VERMIN", "description": "[VERMIN](https://attack.mitre.org/software/S0257) is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. (Citation: Unit 42 VERMIN Jan 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["VERMIN"], "type": "malware", "id": "malware--5189f018-fea2-45d7-b0ed-23f9ee0a46f3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0257", "external_id": "S0257"}, {"source_name": "VERMIN", "description": "(Citation: Unit 42 VERMIN Jan 2018)"}, {"source_name": "Unit 42 VERMIN Jan 2018", "description": "Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:22:03.759Z", "name": "UBoatRAT", "description": "[UBoatRAT](https://attack.mitre.org/software/S0333) is a remote access tool that was identified in May 2017.(Citation: PaloAlto UBoatRAT Nov 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["UBoatRAT"], "type": "malware", "id": "malware--518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", "created": "2019-01-29T19:09:26.355Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0333", "external_id": "S0333"}, {"source_name": "UBoatRAT", "description": "(Citation: PaloAlto UBoatRAT Nov 2017)"}, {"source_name": "PaloAlto UBoatRAT Nov 2017", "description": "Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Pooja Natarajan, NEC Corporation India", "Manikantan Srinivasan, NEC Corporation India", "Hiroki Nagahama, NEC Corporation"], "x_mitre_aliases": ["MarkiRAT"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--532c6004-b1e8-415b-9516-f7c14ba783b1", "type": "malware", "created": "2021-09-28T17:48:36.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0652", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0652"}, {"source_name": "Kaspersky Ferocious Kitten Jun 2021", "url": "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/", "description": "GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021."}], "modified": "2021-10-25T14:24:59.957Z", "name": "MarkiRAT", "description": "[MarkiRAT](https://attack.mitre.org/software/S0652) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://attack.mitre.org/groups/G0137) since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["PowerShower"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--53486bc7-7748-4716-8190-e4f1fde04c53", "type": "malware", "created": "2020-05-08T19:27:12.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0441", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0441"}, {"source_name": "Unit 42 Inception November 2018", "url": "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/", "description": "Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."}, {"source_name": "Kaspersky Cloud Atlas August 2019", "url": "https://securelist.com/recent-cloud-atlas-activity/92016/", "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."}], "modified": "2020-05-20T20:43:49.960Z", "name": "PowerShower", "description": "[PowerShower](https://attack.mitre.org/software/S0441) is a PowerShell backdoor used by [Inception](https://attack.mitre.org/groups/G0100) for initial reconnaissance and to download and execute second stage payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows", "macOS"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Kazuar"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0265", "external_id": "S0265"}, {"source_name": "Kazuar", "description": "(Citation: Unit 42 Kazuar May 2017)"}, {"source_name": "Unit 42 Kazuar May 2017", "description": "Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/"}], "modified": "2020-12-02T21:20:50.906Z", "name": "Kazuar", "description": "[Kazuar](https://attack.mitre.org/software/S0265) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)", "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["NavRAT"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--53a42597-1974-4b8e-84fd-3675e8992053", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0247", "external_id": "S0247"}, {"source_name": "NavRAT", "description": "(Citation: Talos NavRAT May 2018)"}, {"url": "https://blog.talosintelligence.com/2018/05/navrat.html", "description": "Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.", "source_name": "Talos NavRAT May 2018"}], "modified": "2020-03-20T01:52:50.303Z", "name": "NavRAT", "description": "[NavRAT](https://attack.mitre.org/software/S0247) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["DarkComet", "DarkKomet", "Fynloski", "Krademok", "FYNLOS"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--53ab35c2-d00e-491a-8753-41d35ae7e547", "type": "malware", "created": "2019-01-29T19:18:28.468Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0334", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0334"}, {"source_name": "DarkComet", "description": "(Citation: TrendMicro DarkComet Sept 2014)"}, {"source_name": "DarkKomet", "description": "(Citation: TrendMicro DarkComet Sept 2014)"}, {"source_name": "Fynloski", "description": "(Citation: TrendMicro DarkComet Sept 2014)"}, {"source_name": "Krademok", "description": "(Citation: TrendMicro DarkComet Sept 2014)"}, {"source_name": "FYNLOS", "description": "(Citation: TrendMicro DarkComet Sept 2014)"}, {"source_name": "TrendMicro DarkComet Sept 2014", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET", "description": "TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018."}, {"source_name": "Malwarebytes DarkComet March 2018", "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", "description": "Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018."}], "modified": "2020-03-28T00:53:12.228Z", "name": "DarkComet", "description": "[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["NETEAGLE"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "type": "malware", "created": "2017-05-31T21:32:27.787Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0034", "external_id": "S0034"}, {"source_name": "FireEye APT30", "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", "url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"}], "modified": "2020-03-30T17:07:46.499Z", "name": "NETEAGLE", "description": "[NETEAGLE](https://attack.mitre.org/software/S0034) is a backdoor developed by [APT30](https://attack.mitre.org/groups/G0013) with compile dates as early as 2008. It has two main variants known as \u201cScout\u201d and \u201cNorton.\u201d (Citation: FireEye APT30)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["POORAIM"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--53d47b09-09c2-4015-8d37-6633ecd53f79", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0216", "external_id": "S0216"}, {"source_name": "POORAIM", "description": "(Citation: FireEye APT37 Feb 2018)"}, {"url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", "source_name": "FireEye APT37 Feb 2018"}], "modified": "2020-03-30T17:16:18.343Z", "name": "POORAIM", "description": "[POORAIM](https://attack.mitre.org/software/S0216) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) in campaigns since at least 2014. (Citation: FireEye APT37 Feb 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-01-02T20:44:36.518Z", "name": "HUI Loader", "description": "[HUI Loader](https://attack.mitre.org/software/S1097) is a custom DLL loader that has been used since at least 2015 by China-based threat groups including [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) and [menuPass](https://attack.mitre.org/groups/G0045) to deploy malware on compromised hosts. [HUI Loader](https://attack.mitre.org/software/S1097) has been observed in campaigns loading [SodaMaster](https://attack.mitre.org/software/S0627), [PlugX](https://attack.mitre.org/software/S0013), [Cobalt Strike](https://attack.mitre.org/software/S0154), [Komplex](https://attack.mitre.org/software/S0162), and several strains of ransomware.(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["HUI Loader"], "type": "malware", "id": "malware--54089fba-8662-4f37-9a44-6ad25a5f630a", "created": "2023-12-22T20:03:48.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1097", "external_id": "S1097"}, {"source_name": "SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022", "description": "Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.", "url": "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-09-06T15:08:53.375Z", "name": "Ragnar Locker", "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) is a ransomware that has been in use since at least December 2019.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Ragnar Locker"], "type": "malware", "id": "malware--54895630-efd2-4608-9c24-319de972a9eb", "created": "2020-06-29T23:30:53.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0481", "external_id": "S0481"}, {"source_name": "Cynet Ragnar Apr 2020", "description": "Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020.", "url": "https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/"}, {"source_name": "Sophos Ragnar May 2020", "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.", "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["FatDuke"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", "type": "malware", "created": "2020-09-24T13:23:45.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0512", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0512"}, {"source_name": "ESET Dukes October 2019", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."}], "modified": "2021-10-16T01:45:28.826Z", "name": "FatDuke", "description": "[FatDuke](https://attack.mitre.org/software/S0512) is a backdoor used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2016.(Citation: ESET Dukes October 2019)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Daniyal Naeem, BT Security"], "x_mitre_aliases": ["Lucifer"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--54a73038-1937-4d71-a253-316e76d5413c", "type": "malware", "created": "2020-11-16T18:40:34.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0532", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0532"}, {"source_name": "Unit 42 Lucifer June 2020", "url": "https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/", "description": "Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020."}], "modified": "2021-10-01T20:33:55.926Z", "name": "Lucifer", "description": "[Lucifer](https://attack.mitre.org/software/S0532) is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.(Citation: Unit 42 Lucifer June 2020)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-06T14:08:40.134Z", "name": "BlackEnergy", "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.4", "x_mitre_aliases": ["BlackEnergy", "Black Energy"], "type": "malware", "id": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "created": "2017-05-31T21:32:57.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0089", "external_id": "S0089"}, {"source_name": "F-Secure BlackEnergy 2014", "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-09-22T00:38:34.857Z", "name": "zwShell", "description": "[zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during [Night Dragon](https://attack.mitre.org/campaigns/C0002).(Citation: McAfee Night Dragon)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.0", "x_mitre_aliases": ["zwShell"], "type": "malware", "id": "malware--54e8672d-5338-4ad1-954a-a7c986bee530", "created": "2019-01-30T17:48:35.006Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0350", "external_id": "S0350"}, {"source_name": "zwShell", "description": "(Citation: McAfee Night Dragon)"}, {"source_name": "McAfee Night Dragon", "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", "url": "https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--552462b9-ae79-49dd-855c-5973014e157f", "type": "malware", "created": "2017-05-31T21:32:20.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0027", "external_id": "S0027"}, {"source_name": "Sophos ZeroAccess", "description": "Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.", "url": "https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf"}], "modified": "2018-10-17T00:14:20.652Z", "name": "Zeroaccess", "description": "[Zeroaccess](https://attack.mitre.org/software/S0027) is a kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-03-06T19:15:21.887Z", "name": "GLASSTOKEN", "description": "[GLASSTOKEN](https://attack.mitre.org/software/S1117) is a custom web shell used by threat actors during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to execute commands on compromised Ivanti Secure Connect VPNs.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "x_mitre_platforms": ["Network"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["GLASSTOKEN"], "type": "malware", "id": "malware--554e010d-726b-439d-9a1a-f60fff0cc109", "created": "2024-03-06T19:14:43.437Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1117", "external_id": "S1117"}, {"source_name": "Volexity Ivanti Zero-Day Exploitation January 2024", "description": "Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.", "url": "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:39:27.698Z", "name": "DCSrv", "description": "[DCSrv](https://attack.mitre.org/software/S1033) is destructive malware that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021. Though [DCSrv](https://attack.mitre.org/software/S1033) has ransomware-like capabilities, [Moses Staff](https://attack.mitre.org/groups/G1009) does not demand ransom or offer a decryption key.(Citation: Checkpoint MosesStaff Nov 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Hiroki Nagahama, NEC Corporation", "Pooja Natarajan, NEC Corporation India", "Manikantan Srinivasan, NEC Corporation India"], "x_mitre_aliases": ["DCSrv"], "type": "malware", "id": "malware--5633ffd3-81ef-4f98-8f93-4896b03998f0", "created": "2022-08-11T22:31:31.468Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1033", "external_id": "S1033"}, {"source_name": "Checkpoint MosesStaff Nov 2021", "description": "Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.", "url": "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-17T13:52:45.671Z", "name": "DRATzarus", "description": "[DRATzarus](https://attack.mitre.org/software/S0694) is a remote access tool (RAT) that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) to target the defense and aerospace organizations globally since at least summer 2020. [DRATzarus](https://attack.mitre.org/software/S0694) shares similarities with [Bankshot](https://attack.mitre.org/software/S0239), which was used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in 2017 to target the Turkish financial sector.(Citation: ClearSky Lazarus Aug 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["DRATzarus"], "type": "malware", "id": "malware--56aa3c82-ed40-4b5a-84bf-7231356d9e96", "created": "2022-03-24T11:23:51.435Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0694", "external_id": "S0694"}, {"source_name": "ClearSky Lazarus Aug 2020", "description": "ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.", "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:48:51.475Z", "name": "BOOSTWRITE", "description": "[BOOSTWRITE](https://attack.mitre.org/software/S0415) is a loader crafted to be launched via abuse of the DLL search order of applications used by [FIN7](https://attack.mitre.org/groups/G0046).(Citation: FireEye FIN7 Oct 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["BOOSTWRITE"], "type": "malware", "id": "malware--56d10a7f-bb42-4267-9b4c-63abb9c06010", "created": "2019-10-11T16:04:31.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0415", "external_id": "S0415"}, {"source_name": "FireEye FIN7 Oct 2019", "description": "Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators\u2019 New Tools and Techniques. Retrieved October 11, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:14:23.264Z", "name": "Rising Sun", "description": "[Rising Sun](https://attack.mitre.org/software/S0448) is a modular backdoor that was used extensively in [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013) between 2017 and 2019. [Rising Sun](https://attack.mitre.org/software/S0448) infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed [Rising Sun](https://attack.mitre.org/software/S0448) included some source code from [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.1", "x_mitre_aliases": ["Rising Sun"], "type": "malware", "id": "malware--56e6b6c2-e573-4969-8bab-783205cebbbf", "created": "2020-05-14T22:29:25.653Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0448", "external_id": "S0448"}, {"source_name": "McAfee Sharpshooter December 2018", "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.", "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-09-22T20:56:06.265Z", "name": "ASPXSpy", "description": "[ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["ASPXSpy", "ASPXTool"], "type": "malware", "id": "malware--56f46b17-8cfa-46c0-b501-dd52fef394e2", "created": "2017-05-31T21:32:47.879Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0073", "external_id": "S0073"}, {"source_name": "Dell TG-3390", "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.", "url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-08T22:11:21.842Z", "name": "NotPetya", "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.0", "x_mitre_aliases": ["NotPetya", "ExPetr", "Diskcoder.C", "GoldenEye", "Petrwrap", "Nyetya"], "type": "malware", "id": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "created": "2019-03-26T15:02:14.907Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0368", "external_id": "S0368"}, {"source_name": "ExPetr", "description": "(Citation: ESET Telebots June 2017)"}, {"source_name": "Diskcoder.C", "description": "(Citation: ESET Telebots June 2017)"}, {"source_name": "GoldenEye", "description": "(Citation: Talos Nyetya June 2017)"}, {"source_name": "Nyetya", "description": "(Citation: Talos Nyetya June 2017)"}, {"source_name": "Petrwrap", "description": "(Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)"}, {"source_name": "ESET Telebots June 2017", "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.", "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/"}, {"source_name": "Talos Nyetya June 2017", "description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.", "url": "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html"}, {"source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download"}, {"source_name": "US-CERT NotPetya 2017", "description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-181A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["ShimRat"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--5763217a-05b6-4edd-9bca-057e47b5e403", "type": "malware", "created": "2020-05-12T21:28:20.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0444", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0444"}, {"source_name": "FOX-IT May 2016 Mofang", "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf", "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."}], "modified": "2020-05-29T03:39:40.754Z", "name": "ShimRat", "description": "[ShimRat](https://attack.mitre.org/software/S0444) has been used by the suspected China-based adversary [Mofang](https://attack.mitre.org/groups/G0103) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name \"[ShimRat](https://attack.mitre.org/software/S0444)\" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:45:43.666Z", "name": "Chrommme", "description": "[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666) malware.(Citation: ESET Gelsemium June 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Chrommme"], "type": "malware", "id": "malware--579607c2-d046-40df-99ab-beb479c37a2a", "created": "2021-12-01T18:36:54.260Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0667", "external_id": "S0667"}, {"source_name": "ESET Gelsemium June 2021", "description": "Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.", "url": "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["BADFLICK"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--57d83eac-a2ea-42b0-a7b2-c80c55157790", "type": "malware", "created": "2021-08-26T18:49:41.155Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0642", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0642"}, {"source_name": "FireEye Periscope March 2018", "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"}, {"source_name": "Accenture MUDCARP March 2019", "url": "https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies", "description": "Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021."}], "modified": "2021-10-15T11:41:06.816Z", "name": "BADFLICK", "description": "[BADFLICK](https://attack.mitre.org/software/S0642) is a backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065) in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.(Citation: FireEye Periscope March 2018)(Citation: Accenture MUDCARP March 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["ObliqueRAT"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--5864e59f-eb4c-43ad-83b2-b5e4fae056c9", "type": "malware", "created": "2021-09-08T19:53:27.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0644", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0644"}, {"source_name": "Talos Oblique RAT March 2021", "url": "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html", "description": "Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021."}, {"source_name": "Talos Transparent Tribe May 2021", "url": "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021."}], "modified": "2021-10-15T14:43:12.250Z", "name": "ObliqueRAT", "description": "[ObliqueRAT](https://attack.mitre.org/software/S0644) is a remote access trojan, similar to [Crimson](https://attack.mitre.org/software/S0115), that has been in use by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2020.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SHOTPUT", "Backdoor.APT.CookieCutter", "Pirpi"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--58adaaa8-f1e8-4606-9a08-422e568461eb", "type": "malware", "created": "2017-05-31T21:32:42.754Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0063", "external_id": "S0063"}, {"source_name": "Backdoor.APT.CookieCutter", "description": "(Citation: FireEye Clandestine Fox Part 2)"}, {"source_name": "Pirpi", "description": "(Citation: FireEye Clandestine Fox Part 2)"}, {"source_name": "FireEye Clandestine Wolf", "description": "Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html"}, {"source_name": "FireEye Clandestine Fox Part 2", "description": "Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html"}], "modified": "2020-03-30T18:09:41.437Z", "name": "SHOTPUT", "description": "[SHOTPUT](https://attack.mitre.org/software/S0063) is a custom backdoor used by [APT3](https://attack.mitre.org/groups/G0022). (Citation: FireEye Clandestine Wolf)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Matt Brenton, Zurich Global Information Security"], "x_mitre_aliases": ["Avaddon"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--58c5a3a1-928f-4094-9e98-a5a4e56dd5f3", "type": "malware", "created": "2021-08-23T19:38:33.073Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0640", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0640"}, {"source_name": "Awake Security Avaddon", "url": "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/", "description": "Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021."}, {"source_name": "Arxiv Avaddon Feb 2021", "url": "https://arxiv.org/pdf/2102.04796.pdf", "description": "Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021."}], "modified": "2021-10-18T21:41:22.437Z", "name": "Avaddon", "description": "[Avaddon](https://attack.mitre.org/software/S0640) is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.(Citation: Awake Security Avaddon)(Citation: Arxiv Avaddon Feb 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-08T22:15:47.458Z", "name": "Conficker", "description": "[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Conficker", "Kido", "Downadup"], "type": "malware", "id": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "created": "2021-02-23T20:50:32.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0608", "external_id": "S0608"}, {"source_name": "Kido", "description": "(Citation: SANS Conficker) "}, {"source_name": "Downadup", "description": "(Citation: SANS Conficker) "}, {"source_name": "SANS Conficker", "description": "Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.", "url": "https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm"}, {"source_name": "Conficker Nuclear Power Plant", "description": "Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved February 18, 2021.", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-06T00:08:07.956Z", "name": "SocGholish", "description": "[SocGholish](https://attack.mitre.org/software/S1124) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by [Mustard Tempest](https://attack.mitre.org/groups/G1020) and its access has been sold to groups including [Indrik Spider](https://attack.mitre.org/groups/G0119) for downloading secondary RAT and ransomware payloads.(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: SocGholish-update)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile) ", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["SocGholish", "FakeUpdates"], "type": "malware", "id": "malware--5911d2ca-64f6-49b3-b94f-29b5d185085c", "created": "2024-03-22T19:21:30.424Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1124", "external_id": "S1124"}, {"source_name": "FakeUpdates", "description": "(Citation: Red Canary SocGholish March 2024)"}, {"source_name": "SocGholish-update", "description": "Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.", "url": "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update"}, {"source_name": "SentinelOne SocGholish Infrastructure November 2022", "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.", "url": "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/"}, {"source_name": "Red Canary SocGholish March 2024", "description": "Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.", "url": "https://redcanary.com/threat-detection-report/threats/socgholish/"}, {"source_name": "Secureworks Gold Prelude Profile", "description": "Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.", "url": "https://www.secureworks.com/research/threat-profiles/gold-prelude"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Hannah Simes, BT Security"], "x_mitre_aliases": ["Flagpro"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--592260fb-dd5c-4a30-8d99-106a0485be0d", "type": "malware", "created": "2022-03-25T14:58:24.832Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0696", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0696"}, {"source_name": "Flagpro ", "description": "(Citation: NTT Security Flagpro new December 2021)"}, {"source_name": "NTT Security Flagpro new December 2021", "url": "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech", "description": "Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022."}], "modified": "2022-04-01T14:41:47.579Z", "name": "Flagpro", "description": "[Flagpro](https://attack.mitre.org/software/S0696) is a Windows-based, first-stage downloader that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.(Citation: NTT Security Flagpro new December 2021) ", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:20:26.551Z", "name": "Hi-Zor", "description": "[Hi-Zor](https://attack.mitre.org/software/S0087) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://attack.mitre.org/software/S0074). It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Hi-Zor"], "type": "malware", "id": "malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc", "created": "2017-05-31T21:32:56.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0087", "external_id": "S0087"}, {"source_name": "Fidelis Hi-Zor", "description": "Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.", "url": "https://www.fidelissecurity.com/threatgeek/archive/introducing-hi-zor-rat/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SpicyOmelette"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--599cd7b5-37b5-4cdd-8174-2811531ce9d0", "type": "malware", "created": "2021-09-21T14:55:00.996Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0646", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0646"}, {"source_name": "Secureworks GOLD KINGSWOOD September 2018", "url": "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", "description": "CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021."}], "modified": "2021-10-18T16:42:45.608Z", "name": "SpicyOmelette", "description": "[SpicyOmelette](https://attack.mitre.org/software/S0646) is a JavaScript based remote access tool that has been used by [Cobalt Group](https://attack.mitre.org/groups/G0080) since at least 2018.(Citation: Secureworks GOLD KINGSWOOD September 2018)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["macOS"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["XAgentOSX", "OSX.Sofacy"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--59a97b15-8189-4d51-9404-e1ce8ea4a069", "type": "malware", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0161", "external_id": "S0161"}, {"source_name": "XAgentOSX", "description": "(Citation: XAgentOSX 2017)"}, {"source_name": "OSX.Sofacy", "description": "(Citation: Symantec APT28 Oct 2018)"}, {"url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", "description": "Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.", "source_name": "XAgentOSX 2017"}, {"description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "source_name": "Symantec APT28 Oct 2018"}], "modified": "2020-03-30T18:30:21.733Z", "name": "XAgentOSX", "description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)", "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows", "iOS", "macOS", "Linux"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Runa Sandvik"], "x_mitre_aliases": ["Green Lambert"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--59c8a28c-200c-4565-9af1-cbdb24870ba0", "created": "2022-03-21T20:55:40.638Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S0690", "url": "https://attack.mitre.org/software/S0690"}, {"source_name": "Green Lambert", "description": "(Citation: Kaspersky Lamberts Toolkit April 2017)"}, {"source_name": "Kaspersky Lamberts Toolkit April 2017", "url": "https://securelist.com/unraveling-the-lamberts-toolkit/77990/", "description": "GREAT. (2017, April 11). Unraveling the Lamberts Toolkit. Retrieved March 21, 2022."}, {"source_name": "Objective See Green Lambert for OSX Oct 2021", "url": "https://objective-see.com/blog/blog_0x68.html", "description": "Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022."}], "x_mitre_deprecated": false, "revoked": false, "description": "[Green Lambert](https://attack.mitre.org/software/S0690) is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of [Green Lambert](https://attack.mitre.org/software/S0690) may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.(Citation: Kaspersky Lamberts Toolkit April 2017)(Citation: Objective See Green Lambert for OSX Oct 2021) ", "modified": "2022-04-20T18:12:24.193Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Green Lambert", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-01-03T21:37:14.516Z", "name": "China Chopper", "description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.5", "x_mitre_aliases": ["China Chopper"], "type": "malware", "id": "malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "created": "2017-05-31T21:32:18.315Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0020", "external_id": "S0020"}, {"source_name": "China Chopper", "description": "(Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)"}, {"source_name": "CISA AA21-200A APT40 July 2021", "description": "CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory \u2013 Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China\u2019s MSS Hainan State Security Department. Retrieved August 12, 2021.", "url": "https://us-cert.cisa.gov/ncas/alerts/aa21-200a"}, {"source_name": "Dell TG-3390", "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.", "url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"}, {"source_name": "Rapid7 HAFNIUM Mar 2021", "description": "Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.", "url": "https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/"}, {"source_name": "FireEye Periscope March 2018", "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"}, {"source_name": "Lee 2013", "description": "Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.", "url": "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["CALENDAR"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--5a84dc36-df0d-4053-9b7c-f0c388a57283", "type": "malware", "created": "2017-05-31T21:32:20.137Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0025", "external_id": "S0025"}, {"source_name": "Mandiant APT1", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"}], "modified": "2020-03-30T15:12:21.836Z", "name": "CALENDAR", "description": "[CALENDAR](https://attack.mitre.org/software/S0025) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-17T20:05:34.648Z", "name": "LockerGoga", "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.0", "x_mitre_contributors": ["Joe Slowik - Dragos"], "x_mitre_aliases": ["LockerGoga"], "type": "malware", "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "created": "2019-04-16T19:00:49.435Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0372", "external_id": "S0372"}, {"source_name": "CarbonBlack LockerGoga 2019", "description": "CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification \u2013 LockerGoga Ransomware. Retrieved April 16, 2019.", "url": "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/"}, {"source_name": "Unit42 LockerGoga 2019", "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.", "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Linux"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Chaos"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--5bcd5511-6756-4824-a692-e8bb109364af", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0220", "external_id": "S0220"}, {"source_name": "Chaos", "description": "(Citation: Chaos Stolen Backdoor)"}, {"source_name": "Chaos Stolen Backdoor", "description": "Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.", "url": "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/"}], "modified": "2020-07-01T18:30:55.286Z", "name": "Chaos", "description": "[Chaos](https://attack.mitre.org/software/S0220) is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Robert Falcone"], "x_mitre_aliases": ["ISMInjector"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--5be33fef-39c0-4532-84ee-bea31e1b5324", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0189", "external_id": "S0189"}, {"source_name": "ISMInjector", "description": "(Citation: OilRig New Delivery Oct 2017)"}, {"source_name": "OilRig New Delivery Oct 2017", "description": "Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/"}], "modified": "2020-03-31T12:38:41.115Z", "name": "ISMInjector", "description": "[ISMInjector](https://attack.mitre.org/software/S0189) is a Trojan used to install another [OilRig](https://attack.mitre.org/groups/G0049) backdoor, ISMAgent. (Citation: OilRig New Delivery Oct 2017)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-09-19T13:31:34.134Z", "name": "PUNCHBUGGY", "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.1", "x_mitre_aliases": ["PUNCHBUGGY", "ShellTea"], "type": "malware", "id": "malware--5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0196", "external_id": "S0196"}, {"source_name": "PUNCHBUGGY", "description": "(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)"}, {"source_name": "ShellTea", "description": "(Citation: Morphisec ShellTea June 2019)"}, {"source_name": "FireEye Know Your Enemy FIN8 Aug 2016", "description": "Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.", "url": "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html"}, {"source_name": "Morphisec ShellTea June 2019", "description": "Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.", "url": "http://blog.morphisec.com/security-alert-fin8-is-back"}, {"source_name": "FireEye Fin8 May 2016", "description": "Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:26:45.606Z", "name": "GoldMax", "description": "[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)", "x_mitre_platforms": ["Windows", "Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.3", "x_mitre_aliases": ["GoldMax", "SUNSHUTTLE"], "type": "malware", "id": "malware--5c747acd-47f0-4c5a-b9e5-213541fc01e0", "created": "2021-03-12T16:10:45.416Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0588", "external_id": "S0588"}, {"source_name": "SUNSHUTTLE", "description": "(Citation: FireEye SUNSHUTTLE Mar 2021)"}, {"source_name": "GoldMax", "description": "(Citation: MSTIC NOBELIUM Mar 2021)"}, {"source_name": "CrowdStrike StellarParticle January 2022", "description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.", "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"}, {"source_name": "MSTIC NOBELIUM Mar 2021", "description": "Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.", "url": "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/"}, {"source_name": "FireEye SUNSHUTTLE Mar 2021", "description": "Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["HELLOKITTY"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--5d11d418-95dd-4377-b782-23160dfa17b4", "type": "malware", "created": "2021-06-03T20:07:21.788Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0617", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0617"}, {"source_name": "FireEye FiveHands April 2021", "url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."}], "modified": "2021-10-18T18:33:58.599Z", "name": "HELLOKITTY", "description": "[HELLOKITTY](https://attack.mitre.org/software/S0617) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://attack.mitre.org/software/S0616) and [FIVEHANDS](https://attack.mitre.org/software/S0618). [HELLOKITTY](https://attack.mitre.org/software/S0617) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.(Citation: FireEye FiveHands April 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-05T16:34:18.865Z", "name": "CostaBricks", "description": "[CostaBricks](https://attack.mitre.org/software/S0614) is a loader that was used to deploy 32-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["CostaBricks"], "type": "malware", "id": "malware--5d342981-5194-41e7-b33f-8e91998d7d88", "created": "2021-05-24T15:56:18.522Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0614", "external_id": "S0614"}, {"source_name": "BlackBerry CostaRicto November 2020", "description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.", "url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-15T23:22:28.176Z", "name": "Cheerscrypt", "description": "[Cheerscrypt](https://attack.mitre.org/software/S1096) is a ransomware that was developed by [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) and has been used in attacks against ESXi and Windows environments since at least 2022. [Cheerscrypt](https://attack.mitre.org/software/S1096) was derived from the leaked [Babuk](https://attack.mitre.org/software/S0638) source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from [Babuk](https://attack.mitre.org/software/S0638).(Citation: Sygnia Emperor Dragonfly October 2022)(Citation: Trend Micro Cheerscrypt May 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Cheerscrypt"], "type": "malware", "id": "malware--5d3fa1db-5041-4560-b87b-8f61cc225c52", "created": "2023-12-18T20:24:33.641Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1096", "external_id": "S1096"}, {"source_name": "Sygnia Emperor Dragonfly October 2022", "description": "Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.", "url": "https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group"}, {"source_name": "Trend Micro Cheerscrypt May 2022", "description": "Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.", "url": "https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-03-28T19:18:39.684Z", "name": "LIGHTWIRE", "description": "[LIGHTWIRE](https://attack.mitre.org/software/S1119) is a web shell written in Perl that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge January 2024)", "x_mitre_platforms": ["Network"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["LIGHTWIRE"], "type": "malware", "id": "malware--5dc9e8ec-9917-4de7-b8ab-16007899dd80", "created": "2024-03-07T20:52:41.463Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1119", "external_id": "S1119"}, {"source_name": "Mandiant Cutting Edge Part 2 January 2024", "description": "Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.", "url": "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"}, {"source_name": "Mandiant Cutting Edge January 2024", "description": "McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.", "url": "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-18T18:25:18.520Z", "name": "KeyBoy", "description": "[KeyBoy](https://attack.mitre.org/software/S0387) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["KeyBoy"], "type": "malware", "id": "malware--5dd649c0-bca4-488b-bd85-b180474ec62e", "created": "2019-06-14T16:45:33.729Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0387", "external_id": "S0387"}, {"source_name": "KeyBoy", "description": "(Citation: PWC KeyBoys Feb 2017)(Citation: CitizenLab KeyBoy Nov 2016)(Citation: Rapid7 KeyBoy Jun 2013)"}, {"source_name": "Rapid7 KeyBoy Jun 2013", "description": "Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.", "url": "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/"}, {"source_name": "CitizenLab KeyBoy Nov 2016", "description": "Hulcoop, A., et al. (2016, November 17). It\u2019s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.", "url": "https://citizenlab.ca/2016/11/parliament-keyboy/"}, {"source_name": "PWC KeyBoys Feb 2017", "description": "Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.", "url": "https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["POSHSPY"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--5e595477-2e78-4ce7-ae42-e0b059b17808", "type": "malware", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0150", "external_id": "S0150"}, {"source_name": "POSHSPY", "description": "(Citation: FireEye POSHSPY April 2017)"}, {"source_name": "FireEye POSHSPY April 2017", "description": "Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html"}], "modified": "2020-03-30T17:16:53.396Z", "name": "POSHSPY", "description": "[POSHSPY](https://attack.mitre.org/software/S0150) is a backdoor that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["MiniDuke"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "type": "malware", "created": "2017-05-31T21:32:36.919Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0051", "external_id": "S0051"}, {"source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"}], "modified": "2021-10-14T21:21:51.872Z", "name": "MiniDuke", "description": "[MiniDuke](https://attack.mitre.org/software/S0051) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. The [MiniDuke](https://attack.mitre.org/software/S0051) toolset consists of multiple downloader and backdoor components. The loader has been used with other [MiniDuke](https://attack.mitre.org/software/S0051) components as well as in conjunction with [CosmicDuke](https://attack.mitre.org/software/S0050) and [PinchDuke](https://attack.mitre.org/software/S0048). (Citation: F-Secure The Dukes)", "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:16:42.727Z", "name": "HyperBro", "description": "[HyperBro](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["HyperBro"], "type": "malware", "id": "malware--5e814485-012d-423d-b769-026bfed0f451", "created": "2019-07-09T17:42:44.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0398", "external_id": "S0398"}, {"source_name": "HyperBro", "description": "(Citation: Unit42 Emissary Panda May 2019)"}, {"source_name": "Unit42 Emissary Panda May 2019", "description": "Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.", "url": "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/"}, {"source_name": "Hacker News LuckyMouse June 2018", "description": "Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.", "url": "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html"}, {"source_name": "Securelist LuckyMouse June 2018", "description": "Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.", "url": "https://securelist.com/luckymouse-hits-national-data-center/86083/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-12-04T20:02:47.052Z", "name": "Anchor", "description": "[Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)", "x_mitre_platforms": ["Linux", "Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Cybereason Nocturnus, @nocturnus"], "x_mitre_aliases": ["Anchor", "Anchor_DNS"], "type": "malware", "id": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", "created": "2020-09-10T15:54:21.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0504", "external_id": "S0504"}, {"source_name": "Anchor_DNS", "description": "(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)"}, {"source_name": "Cyberreason Anchor December 2019", "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.", "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"}, {"source_name": "Medium Anchor DNS July 2020", "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.", "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Pteranodon", "Pterodo"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "created": "2017-05-31T21:33:26.084Z", "x_mitre_version": "2.1", "external_references": [{"source_name": "mitre-attack", "external_id": "S0147", "url": "https://attack.mitre.org/software/S0147"}, {"source_name": "Pterodo", "description": "(Citation: Symantec Shuckworm January 2022)(Citation: Secureworks IRON TILDEN Profile)"}, {"source_name": "Palo Alto Gamaredon Feb 2017", "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017."}, {"source_name": "Secureworks IRON TILDEN Profile", "url": "https://www.secureworks.com/research/threat-profiles/iron-tilden", "description": "Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022."}, {"source_name": "Symantec Shuckworm January 2022", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "description": "Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022."}], "x_mitre_deprecated": false, "revoked": false, "description": "[Pteranodon](https://attack.mitre.org/software/S0147) is a custom backdoor used by [Gamaredon Group](https://attack.mitre.org/groups/G0047). (Citation: Palo Alto Gamaredon Feb 2017)", "modified": "2022-08-23T15:25:11.145Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Pteranodon", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-06T21:19:39.591Z", "name": "DarkTortilla", "description": "[DarkTortilla](https://attack.mitre.org/software/S1066) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://attack.mitre.org/software/S1066) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://attack.mitre.org/software/S0331), AsyncRat, [NanoCore](https://attack.mitre.org/software/S0336), RedLine, [Cobalt Strike](https://attack.mitre.org/software/S0154), and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Mindaugas Gudzis, BT Security"], "x_mitre_aliases": ["DarkTortilla"], "type": "malware", "id": "malware--5faaf81a-aa5b-4a4b-bae5-522439e068f8", "created": "2023-02-16T13:57:53.205Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1066", "external_id": "S1066"}, {"source_name": "Secureworks DarkTortilla Aug 2022", "description": "Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.", "url": "https://www.secureworks.com/research/darktortilla-malware-analysis"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["ROKRAT"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0240", "external_id": "S0240"}, {"source_name": "ROKRAT", "description": "(Citation: Talos ROKRAT 2) (Citation: Talos Group123)"}, {"url": "https://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "description": "Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.", "source_name": "Talos ROKRAT"}, {"url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "description": "Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.", "source_name": "Talos Group123"}, {"source_name": "Volexity InkySquid RokRAT August 2021", "url": "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/", "description": "Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021."}, {"url": "https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", "description": "Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.", "source_name": "Talos ROKRAT 2"}], "modified": "2022-03-30T20:40:21.212Z", "name": "ROKRAT", "description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067) to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) has used ROKRAT during several campaigns from 2016 through 2021.(Citation: Talos ROKRAT)(Citation: Talos Group123)(Citation: Volexity InkySquid RokRAT August 2021)", "x_mitre_version": "2.3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-26T17:51:20.402Z", "name": "CORESHELL", "description": "[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.1", "x_mitre_aliases": ["CORESHELL", "Sofacy", "SOURFACE"], "type": "malware", "id": "malware--60c18d06-7b91-4742-bae3-647845cd9d81", "created": "2017-05-31T21:33:18.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0137", "external_id": "S0137"}, {"source_name": "CORESHELL", "description": "(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)"}, {"source_name": "SOURFACE", "description": "(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018)"}, {"source_name": "FireEye APT28 January 2017", "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"}, {"source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"}, {"source_name": "Securelist Sofacy Feb 2018", "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.", "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/"}, {"source_name": "Sofacy", "description": "This designation has been used in reporting both to refer to the threat group ([APT28](https://attack.mitre.org/groups/G0007)) and its associated malware.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018)"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["RunningRAT"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--60d50676-459a-47dd-92e9-a827a9fe9c58", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0253", "external_id": "S0253"}, {"source_name": "RunningRAT", "description": "(Citation: McAfee Gold Dragon)"}, {"url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/", "description": "Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.", "source_name": "McAfee Gold Dragon"}], "modified": "2020-04-21T23:09:31.043Z", "name": "RunningRAT", "description": "[RunningRAT](https://attack.mitre.org/software/S0253) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [Brave Prince](https://attack.mitre.org/software/S0252). (Citation: McAfee Gold Dragon)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows", "Linux"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Hiroki Nagahama, NEC Corporation", "Pooja Natarajan, NEC Corporation India", "Manikantan Srinivasan, NEC Corporation India", "Daniyal Naeem, BT Security"], "x_mitre_aliases": ["Babuk", "Babyk", "Vasa Locker"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--61c7a91a-0b83-461d-ad32-75d96eed4a09", "type": "malware", "created": "2021-08-11T17:36:46.197Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0638", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0638"}, {"source_name": "Babyk", "description": "(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: Trend Micro Ransomware February 2021)"}, {"source_name": "Vasa Locker", "description": "(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)"}, {"source_name": "Sogeti CERT ESEC Babuk March 2021", "url": "https://www.sogeti.com/globalassets/reports/cybersecchronicles_-_babuk.pdf", "description": "Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021."}, {"source_name": "McAfee Babuk February 2021", "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf", "description": "Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021."}, {"source_name": "CyberScoop Babuk February 2021", "url": "https://www.cyberscoop.com/babuk-ransomware-serco-attack/", "description": "Lyngaas, S. (2021, February 4). Meet Babuk, a ransomware attacker blamed for the Serco breach. Retrieved August 11, 2021."}, {"source_name": "Trend Micro Ransomware February 2021", "url": "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", "description": "Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021."}], "modified": "2021-10-13T14:29:38.795Z", "name": "Babuk", "description": "[Babuk](https://attack.mitre.org/software/S0638) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://attack.mitre.org/software/S0638) employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: CyberScoop Babuk February 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:40:18.361Z", "name": "DarkWatchman", "description": "[DarkWatchman](https://attack.mitre.org/software/S0673) is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.(Citation: Prevailion DarkWatchman 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["DarkWatchman"], "type": "malware", "id": "malware--63686509-069b-4143-99ea-4e59cad6cb2a", "created": "2022-01-10T19:43:47.281Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0673", "external_id": "S0673"}, {"source_name": "Prevailion DarkWatchman 2021", "description": "Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.", "url": "https://www.prevailion.com/darkwatchman-new-fileless-techniques/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Josh Campbell, Cyborg Security, @cyb0rgsecur1ty"], "x_mitre_aliases": ["Dyre", "Dyzap", "Dyreza"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", "type": "malware", "created": "2017-05-31T21:32:19.746Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0024", "external_id": "S0024"}, {"source_name": "Dyre", "description": "(Citation: Symantec Dyre June 2015)"}, {"source_name": "Dyzap", "description": "(Citation: Sophos Dyreza April 2015)"}, {"source_name": "Dyreza", "description": "(Citation: Sophos Dyreza April 2015)"}, {"source_name": "Symantec Dyre June 2015", "description": "Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.", "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf"}, {"source_name": "Malwarebytes Dyreza November 2015", "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", "description": "hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."}, {"source_name": "Sophos Dyreza April 2015", "url": "https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-computers/", "description": "Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020."}], "modified": "2020-06-22T17:59:13.241Z", "name": "Dyre", "description": "[Dyre](https://attack.mitre.org/software/S0024) is a banking Trojan that has been used for financial gain. \n (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["BlackMould"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--63c4511b-2d6e-4bb2-b582-e2e99a8a467d", "type": "malware", "created": "2021-01-14T19:58:17.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0564", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0564"}, {"source_name": "Microsoft GALLIUM December 2019", "url": "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "description": "MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021."}], "modified": "2021-03-23T22:18:00.145Z", "name": "BlackMould", "description": "[BlackMould](https://attack.mitre.org/software/S0564) is a web shell based on [China Chopper](https://attack.mitre.org/software/S0020) for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by [GALLIUM](https://attack.mitre.org/groups/G0093) against telecommunication providers.(Citation: Microsoft GALLIUM December 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Javali"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--64122557-5940-4271-9123-25bfc0c693db", "type": "malware", "created": "2020-11-09T18:32:18.369Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0528", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0528"}, {"source_name": "Securelist Brazilian Banking Malware July 2020", "url": "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "description": "GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020."}], "modified": "2020-12-22T21:07:41.508Z", "name": "Javali", "description": "[Javali](https://attack.mitre.org/software/S0528) is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.(Citation: Securelist Brazilian Banking Malware July 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T21:08:49.143Z", "name": "PACEMAKER", "description": "[PACEMAKER](https://attack.mitre.org/software/S1109) is a credential stealer that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including activity against US Defense Industrial Base (DIB) companies.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "x_mitre_platforms": ["Network", "Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["PACEMAKER"], "type": "malware", "id": "malware--647215dd-29a6-4528-b354-ca8b5e08fca1", "created": "2024-02-08T19:38:27.401Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1109", "external_id": "S1109"}, {"source_name": "Mandiant Pulse Secure Zero-Day April 2021", "description": "Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.", "url": "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["BBSRAT"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "type": "malware", "created": "2017-05-31T21:33:13.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0127", "external_id": "S0127"}, {"source_name": "Palo Alto Networks BBSRAT", "description": "Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/"}], "modified": "2020-03-30T14:55:06.553Z", "name": "BBSRAT", "description": "[BBSRAT](https://attack.mitre.org/software/S0127) is malware with remote access tool functionality that has been used in targeted compromises. (Citation: Palo Alto Networks BBSRAT)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-04-10T17:14:55.086Z", "name": "PlugX", "description": "[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "3.1", "x_mitre_aliases": ["PlugX", "Thoper", "TVT", "DestroyRAT", "Sogu", "Kaba", "Korplug"], "type": "malware", "id": "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd", "created": "2017-05-31T21:32:15.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0013", "external_id": "S0013"}, {"source_name": "DestroyRAT", "description": "(Citation: CIRCL PlugX March 2013)"}, {"source_name": "Kaba", "description": "(Citation: FireEye Clandestine Fox Part 2)"}, {"source_name": "PlugX", "description": "(Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2)(Citation: CIRCL PlugX March 2013)"}, {"source_name": "Korplug", "description": "(Citation: Lastline PlugX Analysis)(Citation: CIRCL PlugX March 2013)"}, {"source_name": "Sogu", "description": "(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: CIRCL PlugX March 2013)"}, {"source_name": "Thoper", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "TVT", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "CIRCL PlugX March 2013", "description": "Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.", "url": "http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf"}, {"source_name": "Dell TG-3390", "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.", "url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"}, {"source_name": "New DragonOK", "description": "Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.", "url": "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"}, {"source_name": "Novetta-Axiom", "description": "Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.", "url": "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"}, {"source_name": "FireEye Clandestine Fox Part 2", "description": "Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html"}, {"source_name": "Lastline PlugX Analysis", "description": "Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.", "url": "http://labs.lastline.com/an-analysis-of-plugx"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:21:09.543Z", "name": "Reaver", "description": "[Reaver](https://attack.mitre.org/software/S0172) is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the \"Five Poisons,\" which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of [Control Panel](https://attack.mitre.org/techniques/T1218/002) items.(Citation: Palo Alto Reaver Nov 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Reaver"], "type": "malware", "id": "malware--65341f30-bec6-4b1d-8abf-1a5620446c29", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0172", "external_id": "S0172"}, {"source_name": "Reaver", "description": "(Citation: Palo Alto Reaver Nov 2017)"}, {"source_name": "Palo Alto Reaver Nov 2017", "description": "Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:53:35.918Z", "name": "Bisonal", "description": "[Bisonal](https://attack.mitre.org/software/S0268) is a remote access tool (RAT) that has been used by [Tonto Team](https://attack.mitre.org/groups/G0131) against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.1", "x_mitre_aliases": ["Bisonal"], "type": "malware", "id": "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0268", "external_id": "S0268"}, {"source_name": "Bisonal", "description": "(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)"}, {"source_name": "Unit 42 Bisonal July 2018", "description": "Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/"}, {"source_name": "Talos Bisonal Mar 2020", "description": "Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.", "url": "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-10T16:02:05.568Z", "name": "S-Type", "description": "[S-Type](https://attack.mitre.org/software/S0085) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2013.(Citation: Cylance Dust Storm)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["S-Type"], "type": "malware", "id": "malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131", "created": "2017-05-31T21:32:55.925Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0085", "external_id": "S0085"}, {"source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SeaDuke", "SeaDaddy", "SeaDesk"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--67e6d66b-1b82-4699-b47a-e2efb6268d14", "type": "malware", "created": "2017-05-31T21:32:37.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0053", "external_id": "S0053"}, {"source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"}], "modified": "2021-04-26T17:40:17.009Z", "name": "SeaDuke", "description": "[SeaDuke](https://attack.mitre.org/software/S0053) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with [CozyCar](https://attack.mitre.org/software/S0046). (Citation: F-Secure The Dukes)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["BS2005"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--67fc172a-36fa-4a35-88eb-4ba730ed52a6", "type": "malware", "created": "2017-05-31T21:32:15.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0014", "external_id": "S0014"}, {"source_name": "Mandiant Operation Ke3chang November 2014", "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION \u201cKE3CHANG\u201d: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", "url": "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs"}], "modified": "2021-11-01T21:12:14.638Z", "name": "BS2005", "description": "[BS2005](https://attack.mitre.org/software/S0014) is malware that was used by [Ke3chang](https://attack.mitre.org/groups/G0004) in spearphishing campaigns since at least 2011. (Citation: Mandiant Operation Ke3chang November 2014)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["DustySky", "NeD Worm"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--687c23e4-4e25-4ee7-a870-c5e002511f54", "type": "malware", "created": "2017-05-31T21:32:41.750Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0062", "url": "https://attack.mitre.org/software/S0062", "source_name": "mitre-attack"}, {"source_name": "DustySky", "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.", "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"}, {"url": "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf", "description": "ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.", "source_name": "DustySky2"}, {"source_name": "Kaspersky MoleRATs April 2019", "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/", "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."}], "modified": "2021-04-27T19:53:40.705Z", "name": "DustySky", "description": "[DustySky](https://attack.mitre.org/software/S0062) is multi-stage malware written in .NET that has been used by [Molerats](https://attack.mitre.org/groups/G0021) since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-08T22:17:50.971Z", "name": "Duqu", "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Duqu"], "type": "malware", "id": "malware--68dca94f-c11d-421e-9287-7c501108e18c", "created": "2017-05-31T21:32:31.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0038", "external_id": "S0038"}, {"source_name": "Symantec W32.Duqu", "description": "Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.", "url": "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Truvasys"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--691c60e2-273d-4d56-9ce6-b67e0f8719ad", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0178", "external_id": "S0178"}, {"source_name": "Truvasys", "description": "(Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)"}, {"url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha", "description": "Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.", "source_name": "Microsoft Win Defender Truvasys Sep 2017"}, {"url": "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "description": "Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.", "source_name": "Microsoft NEODYMIUM Dec 2016"}, {"url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf", "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", "source_name": "Microsoft SIR Vol 21"}], "modified": "2020-03-18T16:10:02.987Z", "name": "Truvasys", "description": "[Truvasys](https://attack.mitre.org/software/S0178) is first-stage malware that has been used by [PROMETHIUM](https://attack.mitre.org/groups/G0056). It is a collection of modules written in the Delphi programming language. (Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:16:18.864Z", "name": "Remsec", "description": "[Remsec](https://attack.mitre.org/software/S0125) is a modular backdoor that has been used by [Strider](https://attack.mitre.org/groups/G0041) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["Remsec", "Backdoor.Remsec", "ProjectSauron"], "type": "malware", "id": "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "created": "2017-05-31T21:33:12.858Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0125", "external_id": "S0125"}, {"source_name": "Kaspersky ProjectSauron Blog", "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.", "url": "https://securelist.com/faq-the-projectsauron-apt/75533/"}, {"source_name": "ProjectSauron", "description": "ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog)"}, {"source_name": "Symantec Strider Blog", "description": "Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.", "url": "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-04-06T22:00:22.774Z", "name": "Industroyer2", "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)", "x_mitre_platforms": ["Field Controller/RTU/PLC/IED", "Engineering Workstation"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Industroyer2"], "type": "malware", "id": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "created": "2023-03-30T19:20:45.556Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1072", "external_id": "S1072"}, {"source_name": "Industroyer2 Blackhat ESET", "description": "Anton Cherepanov, Robert Lipovsky. (2022, August). Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid. Retrieved April 6, 2023.", "url": "https://www.youtube.com/watch?v=xC9iM5wVedQ"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Sykipot"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "type": "malware", "created": "2017-05-31T21:32:17.568Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0018", "external_id": "S0018"}, {"source_name": "Alienvault Sykipot DOD Smart Cards", "description": "Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.", "url": "https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards"}, {"url": "http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", "description": "Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.", "source_name": "Blasco 2013"}], "modified": "2020-05-13T22:58:34.210Z", "name": "Sykipot", "description": "[Sykipot](https://attack.mitre.org/software/S0018) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://attack.mitre.org/software/S0018) hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Explosive"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--6a21e3a4-5ffe-4581-af9a-6a54c7536f44", "type": "malware", "created": "2021-02-08T21:41:25.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0569", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0569"}, {"source_name": "Explosive", "description": "(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021) "}, {"source_name": "CheckPoint Volatile Cedar March 2015", "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf", "description": "Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021."}, {"source_name": "ClearSky Lebanese Cedar Jan 2021", "url": "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf", "description": "ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021."}], "modified": "2021-04-27T01:56:35.649Z", "name": "Explosive", "description": "[Explosive](https://attack.mitre.org/software/S0569) is a custom-made remote access tool used by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123). It was first identified in the wild in 2015.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021) ", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows", "Linux"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Xbash"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--6a92d80f-cc65-45f6-aa66-3cdea6786b3c", "type": "malware", "created": "2019-01-30T13:28:47.452Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0341", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0341"}, {"source_name": "Xbash", "description": "(Citation: Unit42 Xbash Sept 2018)"}, {"description": "Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "source_name": "Unit42 Xbash Sept 2018"}], "modified": "2020-06-23T20:41:28.496Z", "name": "Xbash", "description": "[Xbash](https://attack.mitre.org/software/S0341) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://attack.mitre.org/software/S0341) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Rover"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38", "type": "malware", "created": "2017-05-31T21:32:58.226Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0090", "external_id": "S0090"}, {"source_name": "Palo Alto Rover", "description": "Ray, V., Hayashi, K. (2016, February 29). New Malware \u2018Rover\u2019 Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/"}], "modified": "2020-03-17T14:52:20.206Z", "name": "Rover", "description": "[Rover](https://attack.mitre.org/software/S0090) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Martin Smol\u00e1r, ESET"], "x_mitre_aliases": ["Epic", "Tavdig", "Wipbot", "WorldCupSec", "TadjMakhal"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--6b62e336-176f-417b-856a-8552dd8c44e1", "type": "malware", "created": "2017-05-31T21:32:58.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0091", "external_id": "S0091"}, {"source_name": "Epic", "description": "(Citation: Kaspersky Turla)"}, {"source_name": "Tavdig", "description": "(Citation: Kaspersky Turla)"}, {"source_name": "Wipbot", "description": "(Citation: Kaspersky Turla)"}, {"source_name": "WorldCupSec", "description": "(Citation: Kaspersky Turla)"}, {"source_name": "TadjMakhal", "description": "(Citation: Kaspersky Turla)"}, {"url": "https://securelist.com/the-epic-turla-operation/65545/", "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.", "source_name": "Kaspersky Turla"}], "modified": "2020-10-26T14:33:46.159Z", "name": "Epic", "description": "[Epic](https://attack.mitre.org/software/S0091) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)", "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T01:37:19.602Z", "name": "LightNeuron", "description": "[LightNeuron](https://attack.mitre.org/software/S0395) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://attack.mitre.org/software/S0395) has been used by [Turla](https://attack.mitre.org/groups/G0010) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://attack.mitre.org/software/S0395) exists.(Citation: ESET LightNeuron May 2019)", "x_mitre_platforms": ["Windows", "Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["LightNeuron"], "type": "malware", "id": "malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", "created": "2019-06-28T13:09:26.710Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0395", "external_id": "S0395"}, {"source_name": "ESET LightNeuron May 2019", "description": "Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Peppy"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--6c2550d5-a01a-4bbb-a004-6ead348ba623", "type": "malware", "created": "2021-09-07T15:11:17.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0643", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0643"}, {"url": "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "description": "Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.", "source_name": "Proofpoint Operation Transparent Tribe March 2016"}], "modified": "2021-10-15T15:09:54.978Z", "name": "Peppy", "description": "[Peppy](https://attack.mitre.org/software/S0643) is a Python-based remote access Trojan, active since at least 2012, with similarities to [Crimson](https://attack.mitre.org/software/S0115).(Citation: Proofpoint Operation Transparent Tribe March 2016)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T01:46:20.169Z", "name": "KEYPLUG", "description": "[KEYPLUG](https://attack.mitre.org/software/S1051) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least June 2021.(Citation: Mandiant APT41)", "x_mitre_platforms": ["Linux", "Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["KEYPLUG", "KEYPLUG.LINUX"], "type": "malware", "id": "malware--6c575670-d14c-4c7f-9b9d-fd1b363e255d", "created": "2022-12-12T15:47:08.197Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1051", "external_id": "S1051"}, {"source_name": "KEYPLUG.LINUX", "description": "(Citation: Mandiant APT41)"}, {"source_name": "Mandiant APT41", "description": "Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.", "url": "https://www.mandiant.com/resources/apt41-us-state-governments"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Daniyal Naeem, BT Security"], "x_mitre_aliases": ["Cuba"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--6cd07296-14aa-403d-9229-6343d03d4752", "type": "malware", "created": "2021-06-18T22:05:58.411Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0625", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0625"}, {"source_name": "Cuba", "description": "(Citation: McAfee Cuba April 2021)"}, {"source_name": "McAfee Cuba April 2021", "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf", "description": "Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021."}], "modified": "2021-10-12T21:13:50.228Z", "name": "Cuba", "description": "\n[Cuba](https://attack.mitre.org/software/S0625) is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.(Citation: McAfee Cuba April 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["DEATHRANSOM"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--6de9cad1-eed2-4e27-b0b5-39fa29349ea0", "type": "malware", "created": "2021-06-02T15:48:55.838Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0616", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0616"}, {"source_name": "FireEye FiveHands April 2021", "url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."}], "modified": "2021-10-18T18:28:24.079Z", "name": "DEATHRANSOM", "description": "[DEATHRANSOM](https://attack.mitre.org/software/S0616) is ransomware written in C that has been used since at least 2020, and has potential overlap with [FIVEHANDS](https://attack.mitre.org/software/S0618) and [HELLOKITTY](https://attack.mitre.org/software/S0617).(Citation: FireEye FiveHands April 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Clambling"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--6e95feb1-78ee-48d3-b421-4d76663b5c49", "type": "malware", "created": "2021-11-12T20:54:55.974Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0660", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0660"}, {"source_name": "Trend Micro DRBControl February 2020", "url": "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf", "description": "Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."}], "modified": "2021-11-23T15:26:58.356Z", "name": "Clambling", "description": "[Clambling](https://attack.mitre.org/software/S0660) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2017.(Citation: Trend Micro DRBControl February 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-08T17:17:49.947Z", "name": "Akira", "description": "[Akira](https://attack.mitre.org/software/S1129) ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity [Akira](https://attack.mitre.org/groups/G1024).(Citation: Kersten Akira 2023)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Akira"], "type": "malware", "id": "malware--6f6b2353-4b39-40ce-9d6d-d00b7a61e656", "created": "2024-04-04T17:59:46.698Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1129", "external_id": "S1129"}, {"source_name": "Kersten Akira 2023", "description": "Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.", "url": "https://www.trellix.com/blogs/research/akira-ransomware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-01T21:19:06.580Z", "name": "DarkGate", "description": "[DarkGate](https://attack.mitre.org/software/S1111) first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named \"DarkGate\" by its author, [DarkGate](https://attack.mitre.org/software/S1111) is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.(Citation: Ensilo Darkgate 2018) DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.(Citation: Trellix Darkgate 2023)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Serhii Melnyk, Trustwave SpiderLabs"], "x_mitre_aliases": ["DarkGate"], "type": "malware", "id": "malware--6f6f67c9-556d-4459-95c2-78d272190e52", "created": "2024-02-09T19:52:30.428Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1111", "external_id": "S1111"}, {"source_name": "Ensilo Darkgate 2018", "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.", "url": "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign"}, {"source_name": "Trellix Darkgate 2023", "description": "Ernesto Fern\u00e1ndez Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.", "url": "https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-24T18:53:41.304Z", "name": "Mongall", "description": "[Mongall](https://attack.mitre.org/software/S1026) is a backdoor that has been used since at least 2013, including by [Aoqin Dragon](https://attack.mitre.org/groups/G1007).(Citation: SentinelOne Aoqin Dragon June 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Hiroki Nagahama, NEC Corporation", "Pooja Natarajan, NEC Corporation India", "Manikantan Srinivasan, NEC Corporation India"], "x_mitre_aliases": ["Mongall"], "type": "malware", "id": "malware--6fb36c6f-bb3d-4ed6-9471-cb9933e5c154", "created": "2022-07-25T17:00:15.045Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1026", "external_id": "S1026"}, {"source_name": "SentinelOne Aoqin Dragon June 2022", "description": "Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.", "url": "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.0.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:37:11.186Z", "name": "NanHaiShu", "description": "[NanHaiShu](https://attack.mitre.org/software/S0228) is a remote access tool and JScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). [NanHaiShu](https://attack.mitre.org/software/S0228) has been used to target government and private-sector organizations that have relations to the South China Sea dispute. (Citation: Proofpoint Leviathan Oct 2017) (Citation: fsecure NanHaiShu July 2016)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["NanHaiShu"], "type": "malware", "id": "malware--705f0783-5f7d-4491-b6b7-9628e6e006d2", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0228", "external_id": "S0228"}, {"source_name": "NanHaiShu", "description": "(Citation: Proofpoint Leviathan Oct 2017)"}, {"source_name": "Proofpoint Leviathan Oct 2017", "description": "Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.", "url": "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets"}, {"source_name": "fsecure NanHaiShu July 2016", "description": "F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.", "url": "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-04-18T12:41:37.940Z", "name": "SVCReady", "description": "[SVCReady](https://attack.mitre.org/software/S1064) is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between [TA551](https://attack.mitre.org/groups/G0127) activity and [SVCReady](https://attack.mitre.org/software/S1064) distribution, including similarities in file names, lure images, and identical grammatical errors.(Citation: HP SVCReady Jun 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Manikantan Srinivasan, NEC Corporation India", "Akiko To, NEC Corporation", "Pooja Natarajan, NEC Corporation India"], "x_mitre_aliases": ["SVCReady"], "type": "malware", "id": "malware--7230ded7-3b1a-4d6e-9735-d0ffd47af9f6", "created": "2023-02-10T18:05:56.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1064", "external_id": "S1064"}, {"source_name": "HP SVCReady Jun 2022", "description": "Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.", "url": "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["macOS"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["ThiefQuest", "MacRansom.K", "EvilQuest"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--727afb95-3d0f-4451-b297-362a43909923", "created": "2021-03-19T16:26:04.260Z", "x_mitre_version": "1.2", "external_references": [{"source_name": "mitre-attack", "external_id": "S0595", "url": "https://attack.mitre.org/software/S0595"}, {"source_name": "ThiefQuest", "description": "(Citation: Reed thiefquest fake ransom)"}, {"source_name": "EvilQuest", "description": "(Citation: Reed thiefquest fake ransom)"}, {"source_name": "MacRansom.K", "description": "(Citation: SentinelOne EvilQuest Ransomware Spyware 2020)"}, {"source_name": "wardle evilquest partii", "url": "https://objective-see.com/blog/blog_0x60.html", "description": "Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021."}, {"source_name": "SentinelOne EvilQuest Ransomware Spyware 2020", "url": "https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/", "description": "Phil Stokes. (2020, July 8). \u201cEvilQuest\u201d Rolls Ransomware, Spyware & Data Theft Into One. Retrieved April 1, 2021."}, {"source_name": "Reed thiefquest fake ransom", "url": "https://blog.malwarebytes.com/detections/osx-thiefquest/", "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021."}, {"source_name": "reed thiefquest ransomware analysis", "url": "https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/", "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021."}], "x_mitre_deprecated": false, "revoked": false, "description": "[ThiefQuest](https://attack.mitre.org/software/S0595) is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. [ThiefQuest](https://attack.mitre.org/software/S0595) was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.(Citation: Reed thiefquest fake ransom) Even though [ThiefQuest](https://attack.mitre.org/software/S0595) presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)", "modified": "2022-04-16T15:01:37.957Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "ThiefQuest", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:32:04.884Z", "name": "FoggyWeb", "description": "[FoggyWeb](https://attack.mitre.org/software/S0661) is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least early April 2021.(Citation: MSTIC FoggyWeb September 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Craig Smith, BT Security"], "x_mitre_aliases": ["FoggyWeb"], "type": "malware", "id": "malware--72911fe3-f085-40f7-b4f2-f25a4221fe44", "created": "2021-11-16T14:33:46.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0661", "external_id": "S0661"}, {"source_name": "MSTIC FoggyWeb September 2021", "description": "Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.", "url": "https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-19T13:24:36.873Z", "name": "NGLite", "description": "[NGLite](https://attack.mitre.org/software/S1106) is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.(Citation: NGLite Trojan)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["NGLite"], "type": "malware", "id": "malware--72b5f07f-5448-4e00-9ff2-08bc193a7b77", "created": "2024-02-08T15:23:05.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1106", "external_id": "S1106"}, {"source_name": "NGLite Trojan", "description": "Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.", "url": "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-08-17T19:51:14.195Z", "name": "Carbanak", "description": "[Carbanak](https://attack.mitre.org/software/S0030) is a full-featured, remote backdoor used by a group of the same name ([Carbanak](https://attack.mitre.org/groups/G0008)). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Carbanak", "Anunak"], "type": "malware", "id": "malware--72f54d66-675d-4587-9bd3-4ed09f9522e4", "created": "2017-05-31T21:32:22.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0030", "external_id": "S0030"}, {"source_name": "Carbanak", "description": "(Citation: FireEye CARBANAK June 2017)"}, {"source_name": "Anunak", "description": "(Citation: Fox-It Anunak Feb 2015) (Citation: FireEye CARBANAK June 2017)"}, {"source_name": "FireEye CARBANAK June 2017", "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html"}, {"source_name": "Kaspersky Carbanak", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.", "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf"}, {"source_name": "Fox-It Anunak Feb 2015", "description": "Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.", "url": "https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["XTunnel", "Trojan.Shunnael", "X-Tunnel", "XAPS"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--7343e208-7cab-45f2-a47b-41ba5e2f0fab", "type": "malware", "created": "2017-05-31T21:33:09.453Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0117", "external_id": "S0117"}, {"source_name": "XTunnel", "description": "(Citation: ESET Sednit Part 2)"}, {"source_name": "Trojan.Shunnael", "description": "(Citation: Symantec APT28 Oct 2018)"}, {"source_name": "X-Tunnel", "description": "(Citation: Crowdstrike DNC June 2016)(Citation: Symantec APT28 Oct 2018)"}, {"source_name": "XAPS", "description": "(Citation: ESET Sednit Part 2)"}, {"source_name": "Crowdstrike DNC June 2016", "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"}, {"source_name": "Invincea XTunnel", "description": "Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.", "url": "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/"}, {"url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "description": "ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.", "source_name": "ESET Sednit Part 2"}, {"source_name": "Symantec APT28 Oct 2018", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018."}], "modified": "2020-03-21T00:40:57.275Z", "name": "XTunnel", "description": "[XTunnel](https://attack.mitre.org/software/S0117) a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by [APT28](https://attack.mitre.org/groups/G0007) during the compromise of the Democratic National Committee. (Citation: Crowdstrike DNC June 2016) (Citation: Invincea XTunnel) (Citation: ESET Sednit Part 2)", "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-20T22:03:44.662Z", "name": "Hydraq", "description": "[Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://attack.mitre.org/groups/G0025).(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.0", "x_mitre_aliases": ["Hydraq", "Roarur", "MdmBot", "HomeUnix", "Homux", "HidraQ", "HydraQ", "McRat", "Aurora", "9002 RAT"], "type": "malware", "id": "malware--73a4793a-ce55-4159-b2a6-208ef29b326f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0203", "external_id": "S0203"}, {"source_name": "9002 RAT", "description": "(Citation: MicroFocus 9002 Aug 2016)"}, {"source_name": "Roarur", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "MdmBot", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "HomeUnix", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "Homux", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "HidraQ", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "HydraQ", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "McRat", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "Hydraq", "description": "(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010)"}, {"source_name": "Aurora", "description": "(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)"}, {"source_name": "ASERT Seven Pointed Dagger Aug 2015", "description": "ASERT. (2015, August). ASERT Threat Intelligence Report \u2013 Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018.", "url": "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf"}, {"source_name": "PaloAlto 3102 Sept 2015", "description": "Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/"}, {"source_name": "ProofPoint GoT 9002 Aug 2017", "description": "Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018.", "url": "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures"}, {"source_name": "FireEye Sunshop Campaign May 2013", "description": "Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html"}, {"source_name": "FireEye DeputyDog 9002 November 2013", "description": "Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html"}, {"source_name": "Novetta-Axiom", "description": "Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.", "url": "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"}, {"source_name": "Symantec Elderwood Sept 2012", "description": "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", "url": "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf"}, {"source_name": "MicroFocus 9002 Aug 2016", "description": "Petrovsky, O. (2016, August 30). \u201c9002 RAT\u201d -- a second building on the left. Retrieved February 20, 2018.", "url": "https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ"}, {"source_name": "Symantec Trojan.Hydraq Jan 2010", "description": "Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.", "url": "https://www.symantec.com/connect/blogs/trojanhydraq-incident"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-22T05:29:42.303Z", "name": "SHARPSTATS", "description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) is a .NET backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2019.(Citation: TrendMicro POWERSTATS V3 June 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["SHARPSTATS"], "type": "malware", "id": "malware--73c4711b-407a-449d-b269-e3b1531fe7a9", "created": "2020-05-18T19:51:37.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0450", "external_id": "S0450"}, {"source_name": "TrendMicro POWERSTATS V3 June 2019", "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Ferocious"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--73d08401-005f-4e1f-90b9-8f45d120879f", "type": "malware", "created": "2022-02-01T19:19:26.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0679", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0679"}, {"source_name": "Kaspersky WIRTE November 2021", "url": "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044", "description": "Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022."}], "modified": "2022-02-01T21:21:35.768Z", "name": "Ferocious", "description": "[Ferocious](https://attack.mitre.org/software/S0679) is a first stage implant composed of VBS and PowerShell scripts that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2021.(Citation: Kaspersky WIRTE November 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:18:12.743Z", "name": "HOMEFRY", "description": "[HOMEFRY](https://attack.mitre.org/software/S0232) is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other [Leviathan](https://attack.mitre.org/groups/G0065) backdoors. (Citation: FireEye Periscope March 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["HOMEFRY"], "type": "malware", "id": "malware--7451bcf9-e6e6-4a70-bc3d-1599173d0035", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0232", "external_id": "S0232"}, {"source_name": "HOMEFRY", "description": "(Citation: FireEye Periscope March 2018)"}, {"source_name": "FireEye Periscope March 2018", "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows", "Office 365"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["CreepyDrive"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--750eb92a-7fdf-451e-9592-1d42357018f1", "created": "2022-07-07T14:30:25.403Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S1023", "url": "https://attack.mitre.org/software/S1023"}, {"source_name": "Microsoft POLONIUM June 2022", "url": "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/", "description": "Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022."}], "x_mitre_deprecated": false, "revoked": false, "description": "[CreepyDrive](https://attack.mitre.org/software/S1023) is a custom implant has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.(Citation: Microsoft POLONIUM June 2022)\n\n[POLONIUM](https://attack.mitre.org/groups/G1005) has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.(Citation: Microsoft POLONIUM June 2022)", "modified": "2022-08-10T13:07:11.790Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "CreepyDrive", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Caterpillar WebShell"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--751b77e6-af1f-483b-93fe-eddf17f92a64", "type": "malware", "created": "2021-02-10T18:20:51.309Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0572", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0572"}, {"source_name": "Caterpillar WebShell", "description": "(Citation: ClearSky Lebanese Cedar Jan 2021)(Citation: CheckPoint Volatile Cedar March 2015)"}, {"source_name": "ClearSky Lebanese Cedar Jan 2021", "url": "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf", "description": "ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021."}, {"source_name": "CheckPoint Volatile Cedar March 2015", "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf", "description": "Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021."}], "modified": "2021-04-27T01:47:15.413Z", "name": "Caterpillar WebShell", "description": "[Caterpillar WebShell](https://attack.mitre.org/software/S0572) is a self-developed Web Shell tool created by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123).(Citation: ClearSky Lebanese Cedar Jan 2021) ", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-22T05:03:29.436Z", "name": "Netwalker", "description": "[Netwalker](https://attack.mitre.org/software/S0457) is fileless ransomware written in PowerShell and executed directly in memory.(Citation: TrendMicro Netwalker May 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Netwalker"], "type": "malware", "id": "malware--754effde-613c-4244-a83e-fb659b2a4d06", "created": "2020-05-26T21:02:38.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0457", "external_id": "S0457"}, {"source_name": "TrendMicro Netwalker May 2020", "description": "Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:35:48.740Z", "name": "Elise", "description": "[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["Elise", "BKDR_ESILE", "Page"], "type": "malware", "id": "malware--7551188b-8f91-4d34-8350-0d0c57b2b913", "created": "2017-05-31T21:32:54.416Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0081", "external_id": "S0081"}, {"source_name": "Elise", "description": "(Citation: Accenture Dragonfish Jan 2018)"}, {"source_name": "BKDR_ESILE", "description": "(Citation: Lotus Blossom Jun 2015)"}, {"source_name": "Page", "description": "(Citation: Lotus Blossom Jun 2015)"}, {"source_name": "Accenture Dragonfish Jan 2018", "description": "Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS\u2019 MEETING AND ASSOCIATES. Retrieved November 14, 2018.", "url": "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf"}, {"source_name": "Lotus Blossom Jun 2015", "description": "Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.", "url": "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["USBferry"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--75bba379-4ba1-467e-8c60-ec2b269ee984", "type": "malware", "created": "2020-05-20T19:54:06.476Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0452", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0452"}, {"source_name": "TrendMicro Tropic Trooper May 2020", "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf", "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."}], "modified": "2020-06-16T15:52:25.167Z", "name": "USBferry", "description": "[USBferry](https://attack.mitre.org/software/S0452) is an information stealing malware and has been used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://attack.mitre.org/software/S0452) shares an overlapping codebase with [YAHOYAH](https://attack.mitre.org/software/S0388), though it has several features which makes it a distinct piece of malware.(Citation: TrendMicro Tropic Trooper May 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-08T22:20:20.868Z", "name": "WannaCry", "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Jan Miller, CrowdStrike"], "x_mitre_aliases": ["WannaCry", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WCry"], "type": "malware", "id": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "created": "2019-03-25T17:30:17.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0366", "external_id": "S0366"}, {"source_name": "WanaCrypt0r", "description": "(Citation: LogRhythm WannaCry)"}, {"source_name": "WCry", "description": "(Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)"}, {"source_name": "WanaCry", "description": "(Citation: SecureWorks WannaCry Analysis)"}, {"source_name": "WanaCrypt", "description": "(Citation: SecureWorks WannaCry Analysis)"}, {"source_name": "FireEye WannaCry 2017", "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"}, {"source_name": "SecureWorks WannaCry Analysis", "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.", "url": "https://www.secureworks.com/research/wcry-ransomware-analysis"}, {"source_name": "Washington Post WannaCry 2017", "description": "Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019.", "url": "https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4"}, {"source_name": "LogRhythm WannaCry", "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.", "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/"}, {"source_name": "US-CERT WannaCry 2017", "description": "US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-132A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:28:51.206Z", "name": "Gazer", "description": "[Gazer](https://attack.mitre.org/software/S0168) is a backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2016. (Citation: ESET Gazer Aug 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_contributors": ["Bartosz Jerzman"], "x_mitre_aliases": ["Gazer", "WhiteBear"], "type": "malware", "id": "malware--76abb3ef-dafd-4762-97cb-a35379429db4", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0168", "external_id": "S0168"}, {"source_name": "Gazer", "description": "(Citation: ESET Gazer Aug 2017)"}, {"source_name": "ESET Gazer Aug 2017", "description": "ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf"}, {"source_name": "ESET Crutch December 2020", "description": "Faou, M. (2020, December 2). Turla Crutch: Keeping the \u201cback door\u201d open. Retrieved December 4, 2020.", "url": "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"}, {"source_name": "Securelist WhiteBear Aug 2017", "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.", "url": "https://securelist.com/introducing-whitebear/81638/"}, {"source_name": "WhiteBear", "description": "The term WhiteBear is used both for the activity group (a subset of G0010) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as S0168. (Citation: Securelist WhiteBear Aug 2017)(Citation: ESET Crutch December 2020)"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Tatsuya Daitoku, Cyber Defense Institute, Inc."], "x_mitre_aliases": ["TSCookie"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--76ac7989-c5cc-42e2-93e3-d6c476f01ace", "created": "2020-05-06T15:43:49.556Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S0436", "url": "https://attack.mitre.org/software/S0436"}, {"source_name": "JPCert PLEAD Downloader June 2018", "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html", "description": "Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."}, {"source_name": "JPCert TSCookie March 2018", "url": "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html", "description": "Tomonaga, S. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020."}, {"source_name": "JPCert BlackTech Malware September 2019", "url": "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html", "description": "Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020."}], "x_mitre_deprecated": false, "revoked": false, "description": "[TSCookie](https://attack.mitre.org/software/S0436) is a remote access tool (RAT) that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). [TSCookie](https://attack.mitre.org/software/S0436) has been referred to as [PLEAD](https://attack.mitre.org/software/S0435) though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019)", "modified": "2022-04-15T11:32:25.171Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "TSCookie", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--7724581b-06ff-4d2b-b77c-80dc8d53070b", "created": "2022-06-09T18:50:58.722Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S1018", "url": "https://attack.mitre.org/software/S1018"}, {"source_name": "Malwarebytes Saint Bot April 2021", "url": "https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/", "description": "Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022."}, {"source_name": "Palo Alto Unit 42 OutSteel SaintBot February 2022 ", "url": "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/", "description": "Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."}], "x_mitre_deprecated": false, "revoked": false, "description": "[Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "modified": "2022-06-09T19:56:56.809Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Saint Bot", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Pay2Key"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--77ca1aa3-280c-4b67-abaa-e8fb891a8f83", "type": "malware", "created": "2021-01-04T15:12:14.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0556", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0556"}, {"source_name": "ClearkSky Fox Kitten February 2020", "url": "https://www.clearskysec.com/fox-kitten/", "description": "ClearSky. (2020, February 16). Fox Kitten \u2013 Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020."}, {"source_name": "Check Point Pay2Key November 2020", "url": "https://research.checkpoint.com/2020/ransomware-alert-pay2key/", "description": "Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021."}], "modified": "2021-04-22T02:48:54.019Z", "name": "Pay2Key", "description": "[Pay2Key](https://attack.mitre.org/software/S0556) is a ransomware written in C++ that has been used by [Fox Kitten](https://attack.mitre.org/groups/G0117) since at least July 2020 including campaigns against Israeli companies. [Pay2Key](https://attack.mitre.org/software/S0556) has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.(Citation: ClearkSky Fox Kitten February 2020)(Citation: Check Point Pay2Key November 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-24T21:17:54.342Z", "name": "Chaes", "description": "[Chaes](https://attack.mitre.org/software/S0631) is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. [Chaes](https://attack.mitre.org/software/S0631) was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.(Citation: Cybereason Chaes Nov 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Daniyal Naeem, BT Security"], "x_mitre_aliases": ["Chaes"], "type": "malware", "id": "malware--77e0ecf7-ca91-4c06-8012-8e728986a87a", "created": "2021-06-30T16:13:40.232Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0631", "external_id": "S0631"}, {"source_name": "Chaes", "description": "(Citation: Cybereason Chaes Nov 2020)"}, {"source_name": "Cybereason Chaes Nov 2020", "description": "Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.", "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Briba"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--79499993-a8d6-45eb-b343-bf58dea5bdde", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0204", "external_id": "S0204"}, {"source_name": "Briba", "description": "(Citation: Symantec Briba May 2012)"}, {"url": "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "description": "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", "source_name": "Symantec Elderwood Sept 2012"}, {"source_name": "Symantec Briba May 2012", "description": "Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.", "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99"}], "modified": "2021-02-09T14:56:14.671Z", "name": "Briba", "description": "[Briba](https://attack.mitre.org/software/S0204) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["CharmPower"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--7acb15b6-fe2c-4319-b136-6ab36ff0b2d4", "type": "malware", "created": "2022-01-24T16:56:36.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0674", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0674"}, {"source_name": "Check Point APT35 CharmPower January 2022", "url": "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/", "description": "Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."}], "modified": "2022-01-25T15:43:34.231Z", "name": "CharmPower", "description": "[CharmPower](https://attack.mitre.org/software/S0674) is a PowerShell-based, modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Check Point APT35 CharmPower January 2022)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:26:03.638Z", "name": "TYPEFRAME", "description": "[TYPEFRAME](https://attack.mitre.org/software/S0263) is a remote access tool that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT TYPEFRAME June 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.3", "x_mitre_aliases": ["TYPEFRAME"], "type": "malware", "id": "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0263", "external_id": "S0263"}, {"source_name": "TYPEFRAME", "description": "(Citation: US-CERT TYPEFRAME June 2018)"}, {"source_name": "US-CERT TYPEFRAME June 2018", "description": "US-CERT. (2018, June 14). MAR-10135536-12 \u2013 North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.", "url": "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["3PARA RAT"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--7bec698a-7e20-4fd3-bb6a-12787770fb1a", "type": "malware", "created": "2017-05-31T21:32:44.131Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0066", "external_id": "S0066"}, {"source_name": "CrowdStrike Putter Panda", "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"}], "modified": "2020-03-30T18:34:04.031Z", "name": "3PARA RAT", "description": "[3PARA RAT](https://attack.mitre.org/software/S0066) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024). (Citation: CrowdStrike Putter Panda)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["macOS"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Bundlore", "OSX.Bundlore"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--7bef1b56-4870-4e74-b32a-7dd88c390c44", "type": "malware", "created": "2020-07-01T19:34:28.366Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0482", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0482"}, {"source_name": "OSX.Bundlore", "description": "(Citation: MacKeeper Bundlore Apr 2019)"}, {"source_name": "MacKeeper Bundlore Apr 2019", "url": "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/", "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."}], "modified": "2022-02-10T15:37:37.795Z", "name": "Bundlore", "description": "[Bundlore](https://attack.mitre.org/software/S0482) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://attack.mitre.org/software/S0482) has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["P8RAT", "HEAVYPOT", "GreetCake"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--7c58fff0-d206-4db1-96b1-e3a9e0e320b9", "type": "malware", "created": "2021-06-21T15:02:47.928Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0626", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0626"}, {"source_name": "HEAVYPOT", "description": "(Citation: Securelist APT10 March 2021)"}, {"source_name": "GreetCake", "description": "(Citation: Securelist APT10 March 2021)"}, {"source_name": "Securelist APT10 March 2021", "url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/", "description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021."}], "modified": "2021-10-14T23:25:08.267Z", "name": "P8RAT", "description": "[P8RAT](https://attack.mitre.org/software/S0626) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["EVILNUM"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--7cdfccda-2950-4167-981a-60872ff5d0db", "type": "malware", "created": "2021-01-28T17:24:48.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0568", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0568"}, {"source_name": "EVILNUM", "description": "(Citation: Prevailion EvilNum May 2020)(Citation: ESET EvilNum July 2020)"}, {"source_name": "ESET EvilNum July 2020", "url": "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "description": "Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021."}, {"source_name": "Prevailion EvilNum May 2020", "url": "https://www.prevailion.com/phantom-in-the-command-shell-2/", "description": "Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021."}], "modified": "2022-01-19T18:23:52.922Z", "name": "EVILNUM", "description": "[EVILNUM](https://attack.mitre.org/software/S0568) is fully capable backdoor that was first identified in 2018. [EVILNUM](https://attack.mitre.org/software/S0568) is used by the APT group [Evilnum](https://attack.mitre.org/groups/G0120) which has the same name.(Citation: ESET EvilNum July 2020)(Citation: Prevailion EvilNum May 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["KOMPROGO"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--7dbb67c7-270a-40ad-836e-c45f8948aa5a", "type": "malware", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0156", "external_id": "S0156"}, {"source_name": "KOMPROGO", "description": "(Citation: FireEye APT32 May 2017)"}, {"source_name": "FireEye APT32 May 2017", "description": "Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"}], "modified": "2020-03-30T16:53:45.307Z", "name": "KOMPROGO", "description": "[KOMPROGO](https://attack.mitre.org/software/S0156) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050) that is capable of process, file, and registry management. (Citation: FireEye APT32 May 2017)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-04-14T23:43:40.206Z", "name": "SMOKEDHAM", "description": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["SMOKEDHAM"], "type": "malware", "id": "malware--7e0f8b0f-716e-494d-827e-310bd6ed709e", "created": "2021-09-22T20:11:08.678Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0649", "external_id": "S0649"}, {"source_name": "SMOKEDHAM", "description": "(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)"}, {"source_name": "FireEye SMOKEDHAM June 2021", "description": "FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"}, {"source_name": "FireEye Shining A Light on DARKSIDE May 2021", "description": "FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2022-10-17T14:42:30.109Z", "name": "Mori", "description": "[Mori](https://attack.mitre.org/software/S1047) is a backdoor that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Ozer Sarilar, @ozersarilar, STM"], "x_mitre_aliases": ["Mori"], "type": "malware", "id": "malware--7e100ca4-e639-48d9-9a9d-8ad84aa7b448", "created": "2022-09-30T15:21:05.086Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1047", "external_id": "S1047"}, {"source_name": "CYBERCOM Iranian Intel Cyber January 2022", "description": "Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.", "url": "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/"}, {"source_name": "DHS CISA AA22-055A MuddyWater February 2022", "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-03-22T05:20:12.492Z", "name": "QUADAGENT", "description": "[QUADAGENT](https://attack.mitre.org/software/S0269) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: Unit 42 QUADAGENT July 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["QUADAGENT"], "type": "malware", "id": "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0269", "external_id": "S0269"}, {"source_name": "QUADAGENT", "description": "(Citation: Unit 42 QUADAGENT July 2018)"}, {"source_name": "Unit 42 QUADAGENT July 2018", "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_contributors": ["Daniyal Naeem, BT Security"], "x_mitre_aliases": ["TAINTEDSCRIBE"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--7f4bbe05-1674-4087-8a16-8f1ad61b6152", "type": "malware", "created": "2021-03-05T15:56:44.479Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0586", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0586"}, {"source_name": "CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020", "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b", "description": "USG. (2020, May 12). MAR-10288834-2.v1 \u2013 North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021."}], "modified": "2021-04-26T15:52:00.433Z", "name": "TAINTEDSCRIBE", "description": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) is a fully-featured beaconing implant integrated with command modules used by [Lazarus Group](https://attack.mitre.org/groups/G0032). It was first reported in May 2020.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Sys10"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--7f8730af-f683-423f-9ee1-5f6875a80481", "type": "malware", "created": "2017-05-31T21:32:40.391Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0060", "url": "https://attack.mitre.org/software/S0060", "source_name": "mitre-attack"}, {"source_name": "Baumgartner Naikon 2015", "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"}], "modified": "2020-03-18T23:13:31.404Z", "name": "Sys10", "description": "[Sys10](https://attack.mitre.org/software/S0060) is a backdoor that was used throughout 2013 by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["pngdowner"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--800bdfba-6d66-480f-9f45-15845c05cb5d", "type": "malware", "created": "2017-05-31T21:32:44.700Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0067", "external_id": "S0067"}, {"source_name": "CrowdStrike Putter Panda", "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"}], "modified": "2020-03-30T18:39:05.662Z", "name": "pngdowner", "description": "[pngdowner](https://attack.mitre.org/software/S0067) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple \"download-and-\nexecute\" utility. (Citation: CrowdStrike Putter Panda)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-04-17T13:11:47.488Z", "name": "Royal", "description": "[Royal](https://attack.mitre.org/software/S1073) is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. [Royal](https://attack.mitre.org/software/S1073) employs partial encryption and multiple threads to evade detection and speed encryption. [Royal](https://attack.mitre.org/software/S1073) has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in [Royal](https://attack.mitre.org/software/S1073) and [Conti](https://attack.mitre.org/software/S0575) attacks and noted a possible connection between their operators.(Citation: Microsoft Royal ransomware November 2022)(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)(Citation: CISA Royal AA23-061A March 2023)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Wataru Takahashi, NEC Corporation", "Pooja Natarajan, NEC Corporation India", "Manikantan Srinivasan, NEC Corporation India"], "x_mitre_aliases": ["Royal"], "type": "malware", "id": "malware--802a874d-7463-4f2a-99e3-6a1f5a919a21", "created": "2023-03-30T20:25:37.761Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1073", "external_id": "S1073"}, {"source_name": "CISA Royal AA23-061A March 2023", "description": "CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a"}, {"source_name": "Cybereason Royal December 2022", "description": "Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.", "url": "https://www.cybereason.com/blog/royal-ransomware-analysis"}, {"source_name": "Kroll Royal Deep Dive February 2023", "description": "Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.", "url": "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive"}, {"source_name": "Trend Micro Royal Linux ESXi February 2023", "description": "Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.", "url": "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html"}, {"source_name": "Microsoft Royal ransomware November 2022", "description": "MSTIC. (2022, November 17). DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Retrieved March 30, 2023.", "url": "https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:54:10.246Z", "name": "BendyBear", "description": "[BendyBear](https://attack.mitre.org/software/S0574) is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, [BendyBear](https://attack.mitre.org/software/S0574) shares a variety of features with [Waterbear](https://attack.mitre.org/software/S0579), malware previously attributed to the Chinese cyber espionage group [BlackTech](https://attack.mitre.org/groups/G0098).(Citation: Unit42 BendyBear Feb 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["BendyBear"], "type": "malware", "id": "malware--805480f1-6caa-4a67-8ca9-b2b39650d986", "created": "2021-02-16T16:50:29.990Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0574", "external_id": "S0574"}, {"source_name": "BendyBear", "description": "(Citation: Unit42 BendyBear Feb 2021)"}, {"source_name": "Unit42 BendyBear Feb 2021", "description": "Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.", "url": "https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:18:48.304Z", "name": "Uroburos", "description": "[Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)", "x_mitre_platforms": ["Linux", "Windows", "macOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.1", "x_mitre_aliases": ["Uroburos", "Snake"], "type": "malware", "id": "malware--80a014ba-3fef-4768-990b-37d8bd10d7f4", "created": "2017-05-31T21:32:19.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0022", "external_id": "S0022"}, {"source_name": "Snake", "description": "(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)"}, {"source_name": "Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023", "description": "FBI et al. (2023, May 9). Hunting Russian Intelligence \u201cSnake\u201d Malware. Retrieved June 8, 2023.", "url": "https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf"}, {"source_name": "Kaspersky Turla", "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.", "url": "https://securelist.com/the-epic-turla-operation/65545/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:44:30.028Z", "name": "Metamorfo", "description": "[Metamorfo](https://attack.mitre.org/software/S0455) is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) ", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.1", "x_mitre_contributors": ["Jose Luis S\u00e1nchez Martinez", "Chen Erlich, @chen_erlich, enSilo"], "x_mitre_aliases": ["Metamorfo", "Casbaneiro"], "type": "malware", "id": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "created": "2020-05-26T17:34:19.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0455", "external_id": "S0455"}, {"source_name": "Casbaneiro", "description": "(Citation: ESET Casbaneiro Oct 2019)"}, {"source_name": "Metamorfo", "description": "(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) "}, {"source_name": "Medium Metamorfo Apr 2020", "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.", "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767"}, {"source_name": "ESET Casbaneiro Oct 2019", "description": "ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.", "url": "https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Trojan.Karagany", "xFrost", "Karagany"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "created": "2017-05-31T21:33:00.176Z", "x_mitre_version": "3.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S0094", "url": "https://attack.mitre.org/software/S0094"}, {"source_name": "xFrost", "description": "(Citation: Secureworks Karagany July 2019)"}, {"source_name": "Karagany", "description": "(Citation: Secureworks Karagany July 2019)"}, {"source_name": "Dragos DYMALLOY ", "url": "https://www.dragos.com/threat/dymalloy/", "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020."}, {"source_name": "Secureworks Karagany July 2019", "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."}, {"source_name": "Symantec Dragonfly", "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."}], "x_mitre_deprecated": false, "revoked": false, "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )", "modified": "2022-04-19T14:57:44.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Trojan.Karagany", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Bandook"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--835a79f1-842d-472d-b8f4-d54b545c341b", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0234", "external_id": "S0234"}, {"url": "https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf", "description": "Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.", "source_name": "EFF Manul Aug 2016"}, {"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018"}, {"source_name": "CheckPoint Bandook Nov 2020", "url": "https://research.checkpoint.com/2020/bandook-signed-delivered/", "description": "Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021."}], "modified": "2021-10-11T19:42:14.066Z", "name": "Bandook", "description": "[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. [Bandook](https://attack.mitre.org/software/S0234) has been used by [Dark Caracal](https://attack.mitre.org/groups/G0070), as well as in a separate campaign referred to as \"Operation Manul\".(Citation: EFF Manul Aug 2016)(Citation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint Bandook Nov 2020)", "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:26:37.214Z", "name": "PipeMon", "description": "[PipeMon](https://attack.mitre.org/software/S0501) is a multi-stage modular backdoor used by [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: ESET PipeMon May 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_contributors": ["Mathieu Tartare, ESET", "Martin Smol\u00e1r, ESET"], "x_mitre_aliases": ["PipeMon"], "type": "malware", "id": "malware--8393dac0-0583-456a-9372-fd81691bca20", "created": "2020-08-24T13:15:51.706Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0501", "external_id": "S0501"}, {"source_name": "ESET PipeMon May 2020", "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020.", "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Network"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SYNful Knock"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", "type": "malware", "created": "2020-10-19T16:38:11.279Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0519", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0519"}, {"source_name": "Mandiant - Synful Knock", "url": "https://www.mandiant.com/resources/synful-knock-acis", "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020."}, {"source_name": "Cisco Synful Knock Evolution", "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020."}], "modified": "2021-12-14T23:14:26.027Z", "name": "SYNful Knock", "description": "[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T22:32:05.321Z", "name": "TINYTYPHON", "description": "[TINYTYPHON](https://attack.mitre.org/software/S0131) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["TINYTYPHON"], "type": "malware", "id": "malware--85b39628-204a-48d2-b377-ec368cbcb7ca", "created": "2017-05-31T21:33:15.467Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0131", "external_id": "S0131"}, {"source_name": "Forcepoint Monsoon", "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.", "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T01:44:46.026Z", "name": "KONNI", "description": "[KONNI](https://attack.mitre.org/software/S0356) is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Talos Konni May 2017)(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.1", "x_mitre_contributors": ["Doron Karmi, @DoronKarmi"], "x_mitre_aliases": ["KONNI"], "type": "malware", "id": "malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "created": "2019-01-31T00:36:39.771Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0356", "external_id": "S0356"}, {"source_name": "KONNI", "description": "(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021)"}, {"source_name": "Unit 42 Nokki Oct 2018", "description": "Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/"}, {"source_name": "Unit 42 NOKKI Sept 2018", "description": "Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/"}, {"source_name": "Medium KONNI Jan 2020", "description": "Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.", "url": "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b"}, {"source_name": "Talos Konni May 2017", "description": "Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.", "url": "https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html"}, {"source_name": "Malwarebytes Konni Aug 2021", "description": "Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.", "url": "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["T9000"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--876f6a77-fbc5-4e13-ab1a-5611986730a3", "type": "malware", "created": "2017-05-31T21:33:01.951Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0098", "external_id": "S0098"}, {"source_name": "FireEye admin@338 March 2014", "description": "Moran, N. and Lanstein, A.. (2014, March 25). Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Retrieved April 15, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html"}, {"source_name": "Palo Alto T9000 Feb 2016", "description": "Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/"}], "modified": "2020-03-31T12:40:49.213Z", "name": "T9000", "description": "[T9000](https://attack.mitre.org/software/S0098) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-10T20:36:12.150Z", "name": "Winnti for Linux", "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including [Winnti Group](https://attack.mitre.org/groups/G0044). The Windows variant is tracked separately under [Winnti for Windows](https://attack.mitre.org/software/S0141).(Citation: Chronicle Winnti for Linux May 2019)", "x_mitre_platforms": ["Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Winnti for Linux"], "type": "malware", "id": "malware--8787e86d-8475-4f13-acea-d33eb83b6105", "created": "2020-04-29T15:06:59.171Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0430", "external_id": "S0430"}, {"source_name": "Chronicle Winnti for Linux May 2019", "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.", "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-05T18:28:57.216Z", "name": "RAPIDPULSE", "description": "[RAPIDPULSE](https://attack.mitre.org/software/S1113) is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by [APT5](https://attack.mitre.org/groups/G1023) since at least 2021.(Citation: Mandiant Pulse Secure Update May 2021)", "x_mitre_platforms": ["Network", "Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["RAPIDPULSE"], "type": "malware", "id": "malware--880f7b3e-ad27-4158-8b03-d44c9357950b", "created": "2024-02-13T17:50:25.350Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1113", "external_id": "S1113"}, {"source_name": "Mandiant Pulse Secure Update May 2021", "description": "Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.", "url": "https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-02-06T19:00:45.557Z", "name": "gh0st RAT", "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)", "x_mitre_platforms": ["Windows", "macOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "3.2", "x_mitre_aliases": ["gh0st RAT", "Mydoor", "Moudoor"], "type": "malware", "id": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "created": "2017-05-31T21:32:24.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0032", "external_id": "S0032"}, {"source_name": "gh0st RAT", "description": "(Citation: FireEye Hacking Team)(Citation: Nccgroup Gh0st April 2018)"}, {"source_name": "Mydoor", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "Moudoor", "description": "(Citation: Novetta-Axiom)"}, {"source_name": "FireEye Hacking Team", "description": "FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html"}, {"source_name": "Novetta-Axiom", "description": "Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.", "url": "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"}, {"source_name": "Nccgroup Gh0st April 2018", "description": "Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.", "url": "https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/"}, {"source_name": "Arbor Musical Chairs Feb 2018", "description": "Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.", "url": "https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-02-08T20:53:17.332Z", "name": "Shamoon", "description": "[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) and Filerase to carry out data wiping tasks. Analysis has linked [Shamoon](https://attack.mitre.org/software/S0140) with [Kwampirs](https://attack.mitre.org/software/S0236) based on multiple shared artifacts and coding patterns.(Citation: Cylera Kwampirs 2022) The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.2", "x_mitre_aliases": ["Shamoon", "Disttrack"], "type": "malware", "id": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3", "created": "2017-05-31T21:33:20.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0140", "external_id": "S0140"}, {"source_name": "Disttrack", "description": "(Citation: Palo Alto Shamoon Nov 2016)"}, {"source_name": "Unit 42 Shamoon3 2018", "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.", "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/"}, {"source_name": "Palo Alto Shamoon Nov 2016", "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.", "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"}, {"source_name": "FireEye Shamoon Nov 2016", "description": "FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html"}, {"source_name": "Cylera Kwampirs 2022", "description": "Pablo Rinc\u00f3n Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.", "url": "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf"}, {"source_name": "Symantec Shamoon 2012", "description": "Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.", "url": "https://www.symantec.com/connect/blogs/shamoon-attacks"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-02-06T19:02:00.781Z", "name": "Skeleton Key", "description": "[Skeleton Key](https://attack.mitre.org/software/S0007) is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. (Citation: Dell Skeleton) Functionality similar to [Skeleton Key](https://attack.mitre.org/software/S0007) is included as a module in [Mimikatz](https://attack.mitre.org/software/S0002).", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Skeleton Key"], "type": "malware", "id": "malware--89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", "created": "2017-05-31T21:32:13.407Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0007", "external_id": "S0007"}, {"source_name": "Dell Skeleton", "description": "Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.", "url": "https://www.secureworks.com/research/skeleton-key-malware-analysis"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["DnsSystem"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "type": "malware", "id": "malware--8a2867f9-e8fc-4bf1-a860-ef6e46311900", "created": "2022-06-24T14:02:05.144Z", "x_mitre_version": "1.0", "external_references": [{"source_name": "mitre-attack", "external_id": "S1021", "url": "https://attack.mitre.org/software/S1021"}, {"source_name": "Zscaler Lyceum DnsSystem June 2022", "url": "https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor", "description": "Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022."}], "x_mitre_deprecated": false, "revoked": false, "description": "[DnsSystem](https://attack.mitre.org/software/S1021) is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2022.(Citation: Zscaler Lyceum DnsSystem June 2022)", "modified": "2022-09-01T15:52:24.575Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "DnsSystem", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["MoleNet"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--8a59f456-79a0-4151-9f56-9b1a67332af2", "type": "malware", "created": "2020-12-28T22:09:15.461Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0553", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0553"}, {"source_name": "MoleNet", "description": "(Citation: Cybereason Molerats Dec 2020)"}, {"source_name": "Cybereason Molerats Dec 2020", "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "description": "Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."}], "modified": "2021-04-27T02:20:58.446Z", "name": "MoleNet", "description": "[MoleNet](https://attack.mitre.org/software/S0553) is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.(Citation: Cybereason Molerats Dec 2020)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["CORALDECK"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", "type": "malware", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0212", "external_id": "S0212"}, {"source_name": "CORALDECK", "description": "(Citation: FireEye APT37 Feb 2018)"}, {"source_name": "FireEye APT37 Feb 2018", "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"}], "modified": "2020-03-30T15:13:24.829Z", "name": "CORALDECK", "description": "[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T01:49:50.568Z", "name": "JHUHUGIT", "description": "[JHUHUGIT](https://attack.mitre.org/software/S0044) is malware used by [APT28](https://attack.mitre.org/groups/G0007). It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "2.2", "x_mitre_aliases": ["JHUHUGIT", "Trojan.Sofacy", "Seduploader", "JKEYSKW", "Sednit", "GAMEFISH", "SofacyCarberp"], "type": "malware", "id": "malware--8ae43c46-57ef-47d5-a77a-eebb35628db2", "created": "2017-05-31T21:32:34.199Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0044", "external_id": "S0044"}, {"source_name": "JHUHUGIT", "description": "(Citation: FireEye APT28 January 2017)"}, {"source_name": "JKEYSKW", "description": "(Citation: FireEye APT28 January 2017)"}, {"source_name": "GAMEFISH", "description": "(Citation: FireEye APT28 January 2017)"}, {"source_name": "Seduploader", "description": "(Citation: FireEye APT28 January 2017)(Citation: Talos Seduploader Oct 2017)"}, {"source_name": "SofacyCarberp", "description": "(Citation: Unit 42 Sofacy Feb 2018)"}, {"source_name": "ESET Sednit Part 1", "description": "ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.", "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf"}, {"source_name": "F-Secure Sofacy 2015", "description": "F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.", "url": "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/"}, {"source_name": "FireEye APT28 January 2017", "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"}, {"source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"}, {"source_name": "Unit 42 Sofacy Feb 2018", "description": "Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/"}, {"source_name": "Talos Seduploader Oct 2017", "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html"}, {"source_name": "Symantec APT28 Oct 2018", "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"}, {"source_name": "Sednit", "description": "This designation has been used in reporting both to refer to the threat group ([APT28](https://attack.mitre.org/groups/G0007)) and its associated malware.(Citation: FireEye APT28 January 2017)"}, {"source_name": "Trojan.Sofacy", "description": "This designation has been used in reporting both to refer to the threat group ([Skeleton Key](https://attack.mitre.org/software/S0007)) and its associated malware.(Citation: Symantec APT28 Oct 2018)"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["SPACESHIP"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--8b880b41-5139-4807-baa9-309690218719", "type": "malware", "created": "2017-05-31T21:32:28.257Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0035", "external_id": "S0035"}, {"url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", "source_name": "FireEye APT30"}], "modified": "2020-03-30T03:05:20.517Z", "name": "SPACESHIP", "description": "[SPACESHIP](https://attack.mitre.org/software/S0035) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:49:24.851Z", "name": "BLUELIGHT", "description": "[BLUELIGHT](https://attack.mitre.org/software/S0657) is a remote access Trojan used by [APT37](https://attack.mitre.org/groups/G0067) that was first observed in early 2021.(Citation: Volexity InkySquid BLUELIGHT August 2021)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["BLUELIGHT"], "type": "malware", "id": "malware--8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0", "created": "2021-10-01T20:26:49.502Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0657", "external_id": "S0657"}, {"source_name": "BLUELIGHT", "description": "(Citation: Volexity InkySquid BLUELIGHT August 2021)"}, {"source_name": "Volexity InkySquid BLUELIGHT August 2021", "description": "Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.", "url": "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T01:45:40.875Z", "name": "KGH_SPY", "description": "[KGH_SPY](https://attack.mitre.org/software/S0526) is a modular suite of tools used by [Kimsuky](https://attack.mitre.org/groups/G0094) for reconnaissance, information stealing, and backdoor capabilities. [KGH_SPY](https://attack.mitre.org/software/S0526) derived its name from PDB paths and internal names found in samples containing \"KGH\".(Citation: Cybereason Kimsuky November 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["KGH_SPY"], "type": "malware", "id": "malware--8bdfe255-e658-4ddd-a11c-b854762e451d", "created": "2020-11-06T18:58:35.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0526", "external_id": "S0526"}, {"source_name": "Cybereason Kimsuky November 2020", "description": "Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.", "url": "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["down_new"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--8be7c69e-d8e3-4970-9668-61de08e508cc", "type": "malware", "created": "2020-06-10T19:37:49.361Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0472", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0472"}, {"source_name": "Trend Micro Tick November 2019", "url": "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf", "description": "Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."}], "modified": "2020-06-24T01:27:32.659Z", "name": "down_new", "description": " [down_new](https://attack.mitre.org/software/S0472) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Ixeshe"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "type": "malware", "created": "2017-05-31T21:32:16.360Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0015", "external_id": "S0015"}, {"url": "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html", "description": "Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.", "source_name": "Moran 2013"}], "modified": "2020-03-20T22:45:06.494Z", "name": "Ixeshe", "description": "[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:43:46.245Z", "name": "Micropsia", "description": "[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Micropsia"], "type": "malware", "id": "malware--8c050cea-86e1-4b63-bf21-7af4fa483349", "created": "2019-01-29T21:47:53.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0339", "external_id": "S0339"}, {"source_name": "Micropsia", "description": "(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)"}, {"source_name": "Talos Micropsia June 2017", "description": "Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.", "url": "https://blog.talosintelligence.com/2017/06/palestine-delphi.html"}, {"source_name": "Radware Micropsia July 2018", "description": "Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.", "url": "https://blog.radware.com/security/2018/07/micropsia-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Kerrdown"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--8c1d01ff-fdc0-4586-99bd-c248e0761af5", "type": "malware", "created": "2021-03-02T13:38:32.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0585", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0585"}, {"source_name": "Amnesty Intl. Ocean Lotus February 2021", "url": "https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf", "description": "Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021."}, {"source_name": "Unit 42 KerrDown February 2019", "url": "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/", "description": "Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus\u2019 new Downloader, KerrDown. Retrieved October 1, 2021."}], "modified": "2021-10-15T21:53:54.011Z", "name": "Kerrdown", "description": "[Kerrdown](https://attack.mitre.org/software/S0585) is a custom downloader that has been used by [APT32](https://attack.mitre.org/groups/G0050) since at least 2018 to install spyware from a server on the victim's network.(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Unit 42 KerrDown February 2019)", "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["RARSTONE"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--8c553311-0baa-4146-997a-f79acef3d831", "type": "malware", "created": "2017-05-31T21:32:38.480Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0055", "external_id": "S0055"}, {"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/", "description": "Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.", "source_name": "Aquino RARSTONE"}], "modified": "2020-03-30T17:24:58.616Z", "name": "RARSTONE", "description": "[RARSTONE](https://attack.mitre.org/software/S0055) is malware used by the [Naikon](https://attack.mitre.org/groups/G0019) group that has some characteristics similar to [PlugX](https://attack.mitre.org/software/S0013). (Citation: Aquino RARSTONE)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["VBShower"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--8caa18af-4758-4fd3-9600-e8af579e89ed", "type": "malware", "created": "2020-05-08T20:43:25.743Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"external_id": "S0442", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0442"}, {"source_name": "Kaspersky Cloud Atlas August 2019", "url": "https://securelist.com/recent-cloud-atlas-activity/92016/", "description": "GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."}], "modified": "2020-05-12T20:56:07.174Z", "name": "VBShower", "description": "[VBShower](https://attack.mitre.org/software/S0442) is a backdoor that has been used by [Inception](https://attack.mitre.org/groups/G0100) since at least 2019. [VBShower](https://attack.mitre.org/software/S0442) has been used as a downloader for second stage payloads, including [PowerShower](https://attack.mitre.org/software/S0441).(Citation: Kaspersky Cloud Atlas August 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-05-01T17:05:56.388Z", "name": "Black Basta", "description": "[Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. [Black Basta](https://attack.mitre.org/software/S1070) operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. [Black Basta](https://attack.mitre.org/software/S1070) affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the [Black Basta](https://attack.mitre.org/software/S1070) RaaS operators could include current or former members of the [Conti](https://attack.mitre.org/software/S0575) group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Daniyal Naeem, BT Security", "Mathieu Hinse", "Inna Danilevich, U.S. Bank"], "x_mitre_aliases": ["Black Basta"], "type": "malware", "id": "malware--8d242fb4-9033-4f13-8a88-4b9b4bcd9a53", "created": "2023-03-08T19:14:27.348Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1070", "external_id": "S1070"}, {"source_name": "Avertium Black Basta June 2022", "description": "Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.", "url": "https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware"}, {"source_name": "Cyble Black Basta May 2022", "description": "Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.", "url": "https://blog.cyble.com/2022/05/06/black-basta-ransomware/"}, {"source_name": "Palo Alto Networks Black Basta August 2022", "description": "Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.", "url": "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware"}, {"source_name": "NCC Group Black Basta June 2022", "description": "Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.", "url": "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/"}, {"source_name": "Deep Instinct Black Basta August 2022", "description": "Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.", "url": "https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence"}, {"source_name": "Minerva Labs Black Basta May 2022", "description": "Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.", "url": "https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["Catchamas"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--8d9e758b-735f-4cbc-ba7c-32cd15138b2a", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0261", "external_id": "S0261"}, {"source_name": "Catchamas", "description": "(Citation: Symantec Catchamas April 2018)"}, {"url": "https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99", "description": "Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.", "source_name": "Symantec Catchamas April 2018"}], "modified": "2021-02-09T14:51:14.620Z", "name": "Catchamas", "description": "[Catchamas](https://attack.mitre.org/software/S0261) is a Windows Trojan that steals information from compromised systems. (Citation: Symantec Catchamas April 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:00:54.356Z", "name": "StoneDrill", "description": "[StoneDrill](https://attack.mitre.org/software/S0380) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://attack.mitre.org/groups/G0064).(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["StoneDrill", "DROPSHOT"], "type": "malware", "id": "malware--8dbadf80-468c-4a62-b817-4e4d8b606887", "created": "2019-05-14T15:05:06.630Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0380", "external_id": "S0380"}, {"source_name": "DROPSHOT", "description": "(Citation: FireEye APT33 Sept 2017)"}, {"source_name": "StoneDrill", "description": "(Citation: Kaspersky StoneDrill 2017)"}, {"source_name": "Kaspersky StoneDrill 2017", "description": "Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.", "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf"}, {"source_name": "FireEye APT33 Sept 2017", "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["OopsIE"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "id": "malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "type": "malware", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0264", "external_id": "S0264"}, {"source_name": "OopsIE", "description": "(Citation: Unit 42 OopsIE! Feb 2018) (Citation: Unit 42 OilRig Sept 2018)"}, {"source_name": "Unit 42 OopsIE! Feb 2018", "description": "Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/"}, {"source_name": "Unit 42 OilRig Sept 2018", "description": "Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/"}], "modified": "2020-03-30T02:36:44.945Z", "name": "OopsIE", "description": "[OopsIE](https://attack.mitre.org/software/S0264) is a Trojan used by [OilRig](https://attack.mitre.org/groups/G0049) to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"labels": ["malware"], "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack"], "x_mitre_aliases": ["4H RAT"], "obj