{
"type": "bundle",
"id": "bundle--af2cb8e5-5d1c-4964-bfe1-75ebc90f8627",
"spec_version": "2.0",
"objects": [
{
"type": "report",
"id": "report--af2cb8e5-5d1c-4964-bfe1-75ebc90f8627",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2020-04-24T12:47:32.432Z",
"name": "OilRig",
"description": "OilRig is a threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets.\n\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\n\n-Organized evasion testing used the during development of their tools.\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\n-Custom web-shells and backdoors used to persistently access servers.\n\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.",
"published": "2020-04-24T12:47:32.432Z",
"object_refs": [
"intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b",
"report--be414527-0ed6-4b77-b04b-2ffa2cd601eb",
"report--e76e88c8-699a-4eeb-a8e5-3645826d6455",
"report--418eec9b-ca2d-48d6-92cc-7cf47b159e8c",
"report--a7f9f91c-cfa7-48f9-a2a3-9fe2013241ec"
],
"labels": [
"intrusion-set"
]
},
{
"type": "intrusion-set",
"id": "intrusion-set--8e11eaa4-1964-4b73-85c1-fcfa29159f9b",
"created": "2018-08-03T20:30:50.665Z",
"modified": "2018-08-03T20:30:50.665Z",
"name": "OilRig"
},
{
"type": "attack-pattern",
"id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:44:06.270Z",
"name": "T1033: System Owner/User Discovery",
"description": "### Windows\n\nAdversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n### Mac\n\nOn Mac, the currently logged in user can be identified with users,w, and who.\n\n### Linux\n\nOn Linux, the currently logged in user can be identified with w and who.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/577.html",
"external_id": "CAPEC-577"
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1033",
"external_id": "T1033"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086)."
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"File monitoring",
"Process command-line parameters",
"Process monitoring"
],
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_version": "1.1"
},
{
"type": "attack-pattern",
"id": "attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:33:40.572Z",
"name": "T1386: Authorized user performs requested cyber action",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nClicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "exploitation"
},
{
"kill_chain_name": "mitre-pre-attack",
"phase_name": "compromise"
}
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/techniques/T1386",
"external_id": "T1386"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:44:03.438Z",
"name": "T1003: Credential Dumping",
"description": "Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform\u00a0Lateral Movement\u00a0and access restricted information.\n\nSeveral of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n\n### Windows\n\n#### SAM (Security Accounts Manager)\n\nThe SAM is a database file that contains local accounts for the host, typically those found with the \u2018net user\u2019 command. To enumerate the SAM database, system level access is required.\n\u00a0\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)\n\nNotes:\nRid 500 account is the local, in-built administrator.\nRid 501 is the guest account.\nUser accounts start with a RID of 1,000+.\n\n#### Cached Credentials\n\nThe DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.\n\u00a0\nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nCached credentials for Windows Vista are derived using PBKDF2.\n\n#### Local Security Authority (LSA) Secrets\n\nWith SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.\n\u00a0\nWhen services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.\n\u00a0\nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nThe passwords extracted by his mechanism are\u00a0UTF-16\u00a0encoded, which means that they are returned in\u00a0plaintext.\nWindows 10 adds protections for LSA Secrets described in Mitigation.\n\n#### NTDS from Domain Controller\n\nActive Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)\n \nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n\n#### Group Policy Preference (GPP) Files\n\nGroup Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.\n\nThese group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit\u2019s post exploitation module: \"post/windows/gather/credentials/gpp\"\n* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nNotes:\nOn the SYSVOL share, the following can be used to enumerate potential XML files.\ndir /s * .xml\n\n#### Service Principal Names (SPNs)\n\nSee [Kerberoasting](https://attack.mitre.org/techniques/T1208).\n\n#### Plaintext Credentials\n\nAfter a user logs on to a system, a variety of credentials are generated and stored in the\u00a0Local Security Authority Subsystem Service\u00a0(LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.\n\nSSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs):\u00a0A Security Support Provider is a\u00a0dynamic-link library\u00a0(DLL) that makes one or more security packages available to applications.\n\nThe following SSPs can be used to access credentials:\n\nMsv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\nWdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)\nKerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\nCredSSP: \u00a0Provides SSO and\u00a0Network Level Authentication\u00a0for\u00a0Remote Desktop Services. (Citation: Microsoft CredSSP)\n\u00a0\nThe following tools can be used to enumerate credentials:\n\n* [Windows Credential Editor](https://attack.mitre.org/software/S0005)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run:\n\n* sekurlsa::Minidump\u00a0lsassdump.dmp\n* sekurlsa::logonPasswords\n\n#### DCSync\n\nDCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the \"lsadump\" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)\n\n### Linux\n\n#### Proc filesystem\n\nThe /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "AdSecurity DCSync Sept 2015",
"url": "https://adsecurity.org/?p=1729",
"description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017."
},
{
"source_name": "ADSecurity Mimikatz DCSync",
"url": "https://adsecurity.org/?p=1729",
"description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017."
},
{
"source_name": "GitHub Creddump7",
"url": "https://github.com/Neohapsis/creddump7",
"description": "Flathers, R. (2018, February 19). creddump7. Retrieved April 11, 2018."
},
{
"source_name": "GitHub Mimikatz lsadump Module",
"url": "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump",
"description": "Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017."
},
{
"source_name": "Harmj0y DCSync Sept 2015",
"url": "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/",
"description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017."
},
{
"source_name": "Harmj0y Mimikatz and DCSync",
"url": "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/",
"description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved August 7, 2017."
},
{
"source_name": "InsiderThreat ChangeNTLM July 2017",
"url": "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM",
"description": "Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017."
},
{
"source_name": "Medium Detecting Attempts to Steal Passwords from Memory",
"url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea",
"description": "Frecn, D.. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019."
},
{
"source_name": "Microsoft CredSSP",
"url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749211(v=ws.10)",
"description": "Microsoft. (2008, July 25). Credential Security Service Provider and SSO for Terminal Services Logon. Retrieved April 11, 2018."
},
{
"source_name": "Microsoft DRSR Dec 2017",
"url": "https://msdn.microsoft.com/library/cc228086.aspx",
"description": "Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017."
},
{
"source_name": "Microsoft GetNCCChanges",
"url": "https://msdn.microsoft.com/library/dd207691.aspx",
"description": "Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017."
},
{
"source_name": "Microsoft GPP Key",
"url": "https://msdn.microsoft.com/library/cc422924.aspx",
"description": "Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April 11, 2018."
},
{
"source_name": "Microsoft NRPC Dec 2017",
"url": "https://msdn.microsoft.com/library/cc237008.aspx",
"description": "Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017."
},
{
"source_name": "Microsoft SAMR",
"url": "https://msdn.microsoft.com/library/cc245496.aspx",
"description": "Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1003",
"external_id": "T1003"
},
{
"source_name": "Obscuresecurity Get-GPPPassword",
"url": "https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html",
"description": "Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell. Retrieved April 11, 2018."
},
{
"source_name": "Powersploit",
"url": "https://github.com/mattifestation/PowerSploit",
"description": "PowerSploit. (n.d.). Retrieved December 4, 2014."
},
{
"source_name": "Samba DRSUAPI",
"url": "https://wiki.samba.org/index.php/DRSUAPI",
"description": "SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017."
},
{
"source_name": "SRD GPP",
"url": "http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx",
"description": "Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015."
},
{
"source_name": "TechNet Blogs Credential Protection",
"url": "https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/",
"description": "Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018."
},
{
"source_name": "Wikipedia Active Directory",
"url": "https://en.wikipedia.org/wiki/Active_Directory",
"description": "Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018."
},
{
"source_name": "Wine API samlib.dll",
"url": "https://source.winehq.org/WineAPI/samlib.html",
"description": "Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"### Windows\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nHash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like [Mimikatz](https://attack.mitre.org/software/S0002). [PowerShell](https://attack.mitre.org/techniques/T1086) scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)\n\n### Linux\nTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc//maps, where the net group /domain and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility.\n\n### Mac\n\nOn Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.\n\n### Linux\n\nOn Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.\n\n### Office 365 and Azure AD\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft msrole)(Citation: GitHub Raindance)\n\nAzure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command az ad user get-member-groups will list groups associated to a user account.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "Black Hills Red Teaming MS AD Azure, 2018",
"url": "https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/",
"description": "Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019."
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/576.html",
"external_id": "CAPEC-576"
},
{
"source_name": "GitHub Raindance",
"url": "https://github.com/True-Demon/raindance",
"description": "Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019."
},
{
"source_name": "Microsoft AZ CLI",
"url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest",
"description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019."
},
{
"source_name": "Microsoft msrole",
"url": "https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0",
"description": "Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1069",
"external_id": "T1069"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086)."
],
"x_mitre_platforms": [
"Azure AD",
"Linux",
"Office 365",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"API monitoring",
"Azure activity logs",
"Office 365 account logs",
"Process command-line parameters",
"Process monitoring"
],
"x_mitre_permissions_required": [
"User"
],
"x_mitre_contributors": [
"Microsoft Threat Intelligence Center (MSTIC)"
],
"x_mitre_version": "2.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--1c338d0f-a65e-4073-a5c1-c06878849f21",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:38.562Z",
"name": "T1093: Process Hollowing",
"description": "Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Endgame Process Injection July 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"external_references": [
{
"source_name": "Endgame Process Injection July 2017",
"url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."
},
{
"source_name": "Leitch Hollowing",
"url": "http://www.autosectools.com/process-hollowing.pdf",
"description": "Leitch, J. (n.d.). Process Hollowing. Retrieved November 12, 2014."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1093",
"external_id": "T1093"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Monitoring API calls may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls that unmap process memory, such as ZwUnmapViewOfSection or NtUnmapViewOfSection, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. (Citation: Endgame Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior."
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_data_sources": [
"API monitoring",
"Process monitoring"
],
"x_mitre_permissions_required": [
"User"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
"Process whitelisting",
"Signature-based detection",
"Whitelisting by file name or path"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:18.104Z",
"name": "T1119: Automated Collection",
"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [Scripting](https://attack.mitre.org/techniques/T1064) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Remote File Copy](https://attack.mitre.org/techniques/T1105) to identify and move files.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1119",
"external_id": "T1119"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086)."
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Data loss prevention",
"File monitoring",
"Process command-line parameters"
],
"x_mitre_permissions_required": [
"User"
],
"x_mitre_system_requirements": [
"Permissions to access directories and files that store information of interest."
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:35.494Z",
"name": "T1082: System Information Discovery",
"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n### Windows\n\nExample commands and utilities that obtain this information include ver, [Systeminfo](https://attack.mitre.org/software/S0096), and dir within [cmd](https://attack.mitre.org/software/S0106) for identifying information based on present files and directories.\n\n### Mac\n\nOn Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.\n\n### AWS\n\nIn Amazon Web Services (AWS), the Application Discovery Service may be used by an adversary to identify servers, virtual machines, software, and software dependencies running.(Citation: Amazon System Discovery)\n\n### GCP\n\nOn Google Cloud Platform (GCP) GET /v1beta1/{parent=organizations/*}/assets or POST /v1beta1/{parent=organizations/*}/assets:runDiscovery may be used to list an organizations cloud assets, or perform asset discovery on a cloud environment.(Citation: Google Command Center Dashboard)\n\n### Azure\n\nIn Azure, the API request GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2019-03-01 may be used to retrieve information about the model or instance view of a virtual machine.(Citation: Microsoft Virutal Machine API)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "Amazon System Discovery",
"url": "https://docs.aws.amazon.com/en_pv/application-discovery/latest/userguide/what-is-appdiscovery.html",
"description": "Amazon. (n.d.). What Is AWS Application Discovery Service?. Retrieved October 8, 2019."
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/312.html",
"external_id": "CAPEC-312"
},
{
"source_name": "Google Command Center Dashboard",
"url": "https://cloud.google.com/security-command-center/docs/quickstart-scc-dashboard",
"description": "Google. (2019, October 3). Quickstart: Using the dashboard. Retrieved October 8, 2019."
},
{
"source_name": "Microsoft Virutal Machine API",
"url": "https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get",
"description": "Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1082",
"external_id": "T1082"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086).\n\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations."
],
"x_mitre_platforms": [
"AWS",
"Azure",
"GCP",
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"AWS CloudTrail logs",
"Azure activity logs",
"Process command-line parameters",
"Process monitoring",
"Stackdriver logs"
],
"x_mitre_permissions_required": [
"User"
],
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_version": "2.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:34.371Z",
"name": "T1071: Standard Application Layer Protocol",
"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1071",
"external_id": "T1071"
},
{
"source_name": "University of Birmingham C2",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used. (Citation: University of Birmingham C2)"
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Malware reverse engineering",
"Netflow/Enclave netflow",
"Packet capture",
"Process monitoring",
"Process use of network"
],
"x_mitre_network_requirements": [
"true"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:30.054Z",
"name": "T1053: Scheduled Task",
"description": "Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/557.html",
"external_id": "CAPEC-557"
},
{
"source_name": "Microsoft Scheduled Task Events Win10",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events",
"description": "Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1053",
"external_id": "T1053"
},
{
"source_name": "TechNet Autoruns",
"url": "https://technet.microsoft.com/en-us/sysinternals/bb963902",
"description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."
},
{
"source_name": "TechNet Forum Scheduled Task Operational Setting",
"url": "https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen",
"description": "Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017."
},
{
"source_name": "TechNet Scheduled Task Events",
"url": "https://technet.microsoft.com/library/dd315590.aspx",
"description": "Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017."
},
{
"source_name": "TechNet Task Scheduler Security",
"url": "https://technet.microsoft.com/en-us/library/cc785125.aspx",
"description": "Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016."
},
{
"source_name": "Twitter Leoloobeek Scheduled Task",
"url": "https://twitter.com/leoloobeek/status/939248813465853953",
"description": "Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086), so additional logging may need to be configured to gather the appropriate data."
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_data_sources": [
"File monitoring",
"Process command-line parameters",
"Process monitoring",
"Windows event logs"
],
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM",
"User"
],
"x_mitre_effective_permissions": [
"Administrator",
"SYSTEM",
"User"
],
"x_mitre_remote_support": "true",
"x_mitre_contributors": [
"Alain Homewood, Insomnia Security",
"Leo Loobeek, @leoloobeek",
"Prashant Verma, Paladion",
"Travis Smith, Tripwire"
],
"x_mitre_version": "1.1"
},
{
"type": "attack-pattern",
"id": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:34:05.267Z",
"name": "T1374: Credential pharming",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nCredential pharming a form of attack designed to steal users' credential by redirecting users to fraudulent websites. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. (Citation: DriveByPharming) (Citation: GoogleDrive Phishing)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "delivery"
},
{
"kill_chain_name": "mitre-pre-attack",
"phase_name": "launch"
}
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/techniques/T1374",
"external_id": "T1374"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:44:02.876Z",
"name": "T1024: Custom Cryptographic Protocol",
"description": "Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext.\n\nCustom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used.\n\nSome adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors. (Citation: F-Secure Cosmicduke)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"external_references": [
{
"source_name": "F-Secure Cosmicduke",
"url": "https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf",
"description": "F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014."
},
{
"source_name": "Fidelis DarkComet",
"url": "https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf",
"description": "Fidelis Cybersecurity. (2015, August 4). Looking at the Sky for a DarkComet. Retrieved April 5, 2016."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1024",
"external_id": "T1024"
},
{
"source_name": "University of Birmingham C2",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"If malware uses custom encryption with symmetric keys, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures. (Citation: Fidelis DarkComet)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect when communications do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)"
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Malware reverse engineering",
"Netflow/Enclave netflow",
"Packet capture",
"Process monitoring",
"Process use of network"
],
"x_mitre_network_requirements": [
"true"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2018-12-17T14:35:00.574Z",
"name": "T1388: Compromise of externally facing system",
"description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nExternally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "exploitation"
},
{
"kill_chain_name": "mitre-pre-attack",
"phase_name": "compromise"
}
],
"external_references": [
{
"source_name": "mitre-pre-attack",
"url": "https://attack.mitre.org/techniques/T1388",
"external_id": "T1388"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:44:01.145Z",
"name": "T1107: File Deletion",
"description": "Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1107",
"external_id": "T1107"
},
{
"source_name": "Trend Micro APT Attack Tools",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/",
"description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe."
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Binary file metadata",
"File monitoring",
"Process command-line parameters"
],
"x_mitre_permissions_required": [
"User"
],
"x_mitre_defense_bypassed": [
"Host forensic analysis"
],
"x_mitre_contributors": [
"Walker Johnson"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:25.575Z",
"name": "T1108: Redundant Access",
"description": "Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated. \n\nIf one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use [External Remote Services](https://attack.mitre.org/techniques/T1133) such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network.(Citation: Mandiant APT1) Adversaries may also retain access through cloud-based infrastructure and applications.\n\nUse of a [Web Shell](https://attack.mitre.org/techniques/T1100) is one such way to maintain access to a network through an externally accessible Web server.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"external_references": [
{
"source_name": "Mandiant APT1",
"url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf",
"description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1108",
"external_id": "T1108"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Existing methods of detecting remote access tools are helpful. Backup remote access tools or other access points may not have established command and control channels open during an intrusion, so the volume of data transferred may not be as high as the primary channel unless access is lost.\n\nDetection of tools based on beacon traffic, Command and Control protocol, or adversary infrastructure require prior threat intelligence on tools, IP addresses, and/or domains the adversary may use, along with the ability to detect use at the network boundary. Prior knowledge of indicators of compromise may also help detect adversary tools at the endpoint if tools are available to scan for those indicators.\n\nIf an intrusion is in progress and sufficient endpoint data or decoded command and control traffic is collected, then defenders will likely be able to detect additional tools dropped as the adversary is conducting the operation.\n\nFor alternative access using externally accessible VPNs or remote services, follow detection recommendations under [Valid Accounts](https://attack.mitre.org/techniques/T1078) and [External Remote Services](https://attack.mitre.org/techniques/T1133) to collect account use information."
],
"x_mitre_platforms": [
"AWS",
"Azure",
"Azure AD",
"GCP",
"Linux",
"Office 365",
"SaaS",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"AWS CloudTrail logs",
"Authentication logs",
"Azure activity logs",
"Binary file metadata",
"File monitoring",
"Network protocol analysis",
"Office 365 account logs",
"Packet capture",
"Process monitoring",
"Process use of network",
"Stackdriver logs"
],
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM",
"User"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
"Network intrusion detection system"
],
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_version": "2.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--6aac77c4-eaf2-4366-8c13-ce50ab951f38",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-08-26T15:33:33.158Z",
"modified": "2020-03-18T19:43:30.474Z",
"name": "T1193: Spearphishing Attachment",
"description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "delivery"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/163.html",
"external_id": "CAPEC-163"
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1193",
"external_id": "T1193"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) and [Scripting](https://attack.mitre.org/techniques/T1064)."
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Detonation chamber",
"Email gateway",
"File monitoring",
"Mail server",
"Network intrusion detection system",
"Packet capture"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:57.925Z",
"name": "T1016: System Network Configuration Discovery",
"description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/309.html",
"external_id": "CAPEC-309"
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1016",
"external_id": "T1016"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086)."
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring"
],
"x_mitre_permissions_required": [
"User"
],
"x_mitre_version": "1.1"
},
{
"type": "attack-pattern",
"id": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:46.107Z",
"name": "T1087: Account Discovery",
"description": "Adversaries may attempt to get a listing of local system or domain accounts. \n\n### Windows\n\nExample commands that can acquire this information are net user, net group , and net localgroup using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.\n\n### Mac\n\nOn Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.\n\n### Linux\n\nOn Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.\n\nAlso, groups can be enumerated through the groups and id commands.\n\n### Office 365 and Azure AD\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)\n\nAzure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \n\nThe Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "Black Hills Attacking Exchange MailSniper, 2016",
"url": "https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/",
"description": "Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper. Retrieved October 6, 2019."
},
{
"source_name": "Black Hills Red Teaming MS AD Azure, 2018",
"url": "https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/",
"description": "Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019."
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/575.html",
"external_id": "CAPEC-575"
},
{
"source_name": "GitHub Raindance",
"url": "https://github.com/True-Demon/raindance",
"description": "Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019."
},
{
"source_name": "Microsoft AZ CLI",
"url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest",
"description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019."
},
{
"source_name": "Microsoft getglobaladdresslist",
"url": "https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist",
"description": "Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6, 2019."
},
{
"source_name": "Microsoft msolrolemember",
"url": "https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0",
"description": "Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1087",
"external_id": "T1087"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086)."
],
"x_mitre_platforms": [
"Azure AD",
"Linux",
"Office 365",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"API monitoring",
"Azure activity logs",
"Office 365 account logs",
"Process command-line parameters",
"Process monitoring"
],
"x_mitre_permissions_required": [
"User"
],
"x_mitre_contributors": [
"Microsoft Threat Intelligence Center (MSTIC)",
"Travis Smith, Tripwire"
],
"x_mitre_version": "2.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:38.387Z",
"name": "T1059: Command-Line Interface",
"description": "Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is [cmd](https://attack.mitre.org/software/S0106), which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. [Scheduled Task](https://attack.mitre.org/techniques/T1053)).\n\nAdversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059",
"external_id": "T1059"
},
{
"source_name": "Wikipedia Command-Line Interface",
"url": "https://en.wikipedia.org/wiki/Command-line_interface",
"description": "Wikipedia. (2016, June 26). Command-line interface. Retrieved June 27, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools."
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring"
],
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM",
"User"
],
"x_mitre_remote_support": "false",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:41.463Z",
"name": "T1074: Data Staged",
"description": "Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Data Compressed](https://attack.mitre.org/techniques/T1002) or [Data Encrypted](https://attack.mitre.org/techniques/T1022).\n\nInteractive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1074",
"external_id": "T1074"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086)."
],
"x_mitre_platforms": [
"AWS",
"Azure",
"GCP",
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"File monitoring",
"Process command-line parameters",
"Process monitoring"
],
"x_mitre_contributors": [
"Praetorian",
"Shane Tully, @securitygypsy"
],
"x_mitre_version": "1.1"
},
{
"type": "attack-pattern",
"id": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:43.952Z",
"name": "T1204: User Execution",
"description": "An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via [Spearphishing Link](https://attack.mitre.org/techniques/T1192) that leads to exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. \n\nAs an example, an adversary may weaponize Windows Shortcut Files (.lnk) to bait a user into clicking to execute the malicious payload.(Citation: Proofpoint TA505 June 2018) A malicious .lnk file may contain [PowerShell](https://attack.mitre.org/techniques/T1086) commands. Payloads may be included into the .lnk file itself, or be downloaded from a remote server.(Citation: FireEye APT29 Nov 2018)(Citation: PWC Cloud Hopper Technical Annex April 2017) \n\nWhile User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"external_references": [
{
"source_name": "FireEye APT29 Nov 2018",
"url": "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html",
"description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1204",
"external_id": "T1204"
},
{
"source_name": "Proofpoint TA505 June 2018",
"url": "https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times",
"description": "Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019."
},
{
"source_name": "PWC Cloud Hopper Technical Annex April 2017",
"url": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) and [Scripting](https://attack.mitre.org/techniques/T1064)."
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Anti-virus",
"Process command-line parameters",
"Process monitoring"
],
"x_mitre_permissions_required": [
"User"
],
"x_mitre_contributors": [
"Oleg Skulkin, Group-IB"
],
"x_mitre_version": "1.1"
},
{
"type": "attack-pattern",
"id": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:48.879Z",
"name": "T1057: Process Discovery",
"description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n### Windows\n\nAn example command that would obtain details on processes is \"tasklist\" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.\n\n### Mac and Linux\n\nIn Mac and Linux, this is accomplished with the ps command.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/573.html",
"external_id": "CAPEC-573"
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1057",
"external_id": "T1057"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086)."
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring"
],
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM",
"User"
],
"x_mitre_system_requirements": [
"Administrator, SYSTEM may provide better process ownership details"
],
"x_mitre_version": "1.1"
},
{
"type": "attack-pattern",
"id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:40.363Z",
"name": "T1041: Exfiltration Over Command and Control Channel",
"description": "Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1041",
"external_id": "T1041"
},
{
"source_name": "University of Birmingham C2",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Detection for command and control applies. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)"
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Process monitoring",
"User interface"
],
"x_mitre_network_requirements": [
"true"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:32.243Z",
"name": "T1078: Valid Accounts",
"description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. \n\nAccounts that an adversary may use can fall into three categories: default, local, and domain accounts. Default accounts are those that are built-into an OS such as Guest or Administrator account on Windows systems or default factory/provider set accounts on other types of systems, software, or devices. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. (Citation: Microsoft Local Accounts Feb 2019) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.\n\nCompromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nDefault accounts are also not limited to Guest and Administrator on client machines, they also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or COTS. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed private keys, or stolen private keys, to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021) (Citation: Metasploit SSH Module)\n\nThe overlap of account access, credentials, and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "lockheed",
"phase_name": "delivery"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/560.html",
"external_id": "CAPEC-560"
},
{
"source_name": "Metasploit SSH Module",
"url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh",
"description": "undefined. (n.d.). Retrieved April 12, 2019."
},
{
"source_name": "Microsoft Local Accounts Feb 2019",
"url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts",
"description": "Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1078",
"external_id": "T1078"
},
{
"source_name": "TechNet Audit Policy",
"url": "https://technet.microsoft.com/en-us/library/dn487457.aspx",
"description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016."
},
{
"source_name": "TechNet Credential Theft",
"url": "https://technet.microsoft.com/en-us/library/dn535501.aspx",
"description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. "
],
"x_mitre_platforms": [
"AWS",
"Azure",
"GCP",
"Linux",
"Office 365",
"SaaS",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"AWS CloudTrail logs",
"Authentication logs",
"Process monitoring",
"Stackdriver logs"
],
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_effective_permissions": [
"Administrator",
"User"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
"Firewall",
"Host intrusion prevention systems",
"Network intrusion detection system",
"Process whitelisting",
"System access controls"
],
"x_mitre_contributors": [
"Mark Wee",
"Netskope",
"Praetorian"
],
"x_mitre_version": "2.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:22.214Z",
"name": "T1068: Exploitation for Privilege Escalation",
"description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform Privilege Escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1068",
"external_id": "T1068"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery.\n\nHigher privileges are often necessary to perform additional actions such as some methods of [Credential Dumping](https://attack.mitre.org/techniques/T1003). Look for additional activity that may indicate an adversary has gained higher privileges."
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Application logs",
"Process monitoring",
"Windows Error Reporting"
],
"x_mitre_permissions_required": [
"User"
],
"x_mitre_effective_permissions": [
"User"
],
"x_mitre_system_requirements": [
"In the case of privilege escalation, the adversary likely already has user permissions on the target system."
],
"x_mitre_version": "1.1"
},
{
"type": "attack-pattern",
"id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:47.779Z",
"name": "T1027: Obfuscated Files or Information",
"description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command-Line Interface](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding [Invoke-PSImage](https://attack.mitre.org/software/S0231). The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used [Invoke-PSImage](https://attack.mitre.org/software/S0231) to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/267.html",
"external_id": "CAPEC-267"
},
{
"source_name": "Carbon Black Obfuscation Sept 2016",
"url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/",
"description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018."
},
{
"source_name": "FireEye Obfuscation June 2017",
"url": "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
"description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018."
},
{
"source_name": "FireEye Revoke-Obfuscation July 2017",
"url": "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf",
"description": "Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018."
},
{
"source_name": "GitHub Office-Crackros Aug 2016",
"url": "https://github.com/itsreallynick/office-crackros",
"description": "Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018."
},
{
"source_name": "GitHub Revoke-Obfuscation",
"url": "https://github.com/danielbohannon/Revoke-Obfuscation",
"description": "Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018."
},
{
"source_name": "Linux/Cdorked.A We Live Security Analysis",
"url": "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/",
"description": "Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017."
},
{
"source_name": "McAfee Malicious Doc Targets Pyeongchang Olympics",
"url": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/",
"description": "Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027",
"external_id": "T1027"
},
{
"source_name": "PaloAlto EncodedCommand March 2017",
"url": "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/",
"description": "White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018."
},
{
"source_name": "Volexity PowerDuke November 2016",
"url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/",
"description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017."
},
{
"source_name": "Wikipedia Duqu",
"url": "https://en.wikipedia.org/wiki/Duqu",
"description": "Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016)\n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection."
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_data_sources": [
"Binary file metadata",
"Email gateway",
"Environment variable",
"File monitoring",
"Malware reverse engineering",
"Network intrusion detection system",
"Network protocol analysis",
"Process command-line parameters",
"Process monitoring",
"Process use of network",
"SSL/TLS inspection",
"Windows event logs"
],
"x_mitre_defense_bypassed": [
"Application whitelisting",
"Host forensic analysis",
"Host intrusion prevention systems",
"Log analysis",
"Process whitelisting",
"Signature-based detection",
"Whitelisting by file name or path"
],
"x_mitre_contributors": [
"Christiaan Beek, @ChristiaanBeek",
"Red Canary"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-08-03T19:54:02.821Z",
"modified": "2020-03-18T19:43:22.411Z",
"name": "T1100: Web Shell",
"description": "A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)\n\nWeb shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed",
"phase_name": "act-on-objectives"
},
{
"kill_chain_name": "lockheed",
"phase_name": "installation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/650.html",
"external_id": "CAPEC-650"
},
{
"source_name": "Lee 2013",
"url": "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
"description": "Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015."
},
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1100",
"external_id": "T1100"
},
{
"source_name": "US-CERT Alert TA15-314A Web Shells",
"url": "https://www.us-cert.gov/ncas/alerts/TA15-314A",
"description": "US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": [
"Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013)\n\n