From 106d191d86c4c0d8c173b215f6ce5400bc866ea0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 16:59:34 +0000 Subject: [PATCH 1/3] Bump black from 22.3.0 to 24.3.0 Bumps [black](https://github.com/psf/black) from 22.3.0 to 24.3.0. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](https://github.com/psf/black/compare/22.3.0...24.3.0) --- updated-dependencies: - dependency-name: black dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index b2a6478b62b..95df85b5859 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ towncrier==22.12.0 webassets==2.0 # dev dependencies -black==22.3.0 +black==24.3.0 isort==5.12.0 pylint==2.17.2 ruff>=0.0.277 From bcaf40524e070a018783a8ae21d124141c252842 Mon Sep 17 00:00:00 2001 From: Charissa Miller <48832936+clemiller@users.noreply.github.com> Date: Mon, 29 Apr 2024 15:00:50 -0400 Subject: [PATCH 2/3] Update gh-pages.yml --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index ac96d571eb0..0939a02e9c5 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -69,6 +69,6 @@ jobs: uses: peaceiris/actions-gh-pages@v3 if: ${{ github.ref == 'refs/heads/master' }} with: - github_token: ${{ secrets.GITHUB_TOKEN }} + deploy_key: ${{ secrets.DEPLOY_KEY }} publish_dir: ./output cname: attack.mitre.org From d339f6dc6d98e457a0cc8c1fdd746721e6895f1c Mon Sep 17 00:00:00 2001 From: Jared Ondricek Date: Thu, 2 May 2024 10:18:24 -0500 Subject: [PATCH 3/3] Update website for v15.1 --- CHANGELOG.md | 7 + data/versions.json | 4 +- .../v15.0-v15.1/changelog-detailed.html | 215 +++ .../changelogs/v15.0-v15.1/changelog.json | 1230 +++++++++++++++++ .../v15.0-v15.1/layer-enterprise.json | 160 +++ .../changelogs/v15.0-v15.1/layer-ics.json | 54 + .../changelogs/v15.0-v15.1/layer-mobile.json | 54 + .../static_pages/updates-april-2024.md | 2 +- pyproject.toml | 2 +- requirements.txt | 2 +- 10 files changed, 1725 insertions(+), 5 deletions(-) create mode 100644 modules/resources/docs/changelogs/v15.0-v15.1/changelog-detailed.html create mode 100644 modules/resources/docs/changelogs/v15.0-v15.1/changelog.json create mode 100644 modules/resources/docs/changelogs/v15.0-v15.1/layer-enterprise.json create mode 100644 modules/resources/docs/changelogs/v15.0-v15.1/layer-ics.json create mode 100644 modules/resources/docs/changelogs/v15.0-v15.1/layer-mobile.json diff --git a/CHANGELOG.md b/CHANGELOG.md index eacf05c21d9..3fd27eb55fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# v4.1.3 (2024-05-02) +--------------------- + +* Release ATT&CK content version 15.1. + See detailed changes [here](https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1). + + # v4.1.2 (2024-04-23) --------------------- diff --git a/data/versions.json b/data/versions.json index f66672ac019..b08fa0cdd02 100644 --- a/data/versions.json +++ b/data/versions.json @@ -1,9 +1,9 @@ { "current": { - "name": "v15.0", + "name": "v15.1", "date_start": "April 23, 2024", "changelog": "updates-april-2024", - "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.0" + "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1" }, "previous": [ { diff --git a/modules/resources/docs/changelogs/v15.0-v15.1/changelog-detailed.html b/modules/resources/docs/changelogs/v15.0-v15.1/changelog-detailed.html new file mode 100644 index 00000000000..ec8ac77360d --- /dev/null +++ b/modules/resources/docs/changelogs/v15.0-v15.1/changelog-detailed.html @@ -0,0 +1,215 @@ + + + + ATT&CK Changes + + + + +

ATT&CK Changes Between v15.0 and v15.1

Key

+ + + + +
+ + + + + +
Colors for description field
Added
Changed
Deleted
+
+

Additional formats

+

These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.

+ +

This JSON file contains the machine readble output used to create this page: changelog.json

+

Techniques

enterprise-attack

Patches

[T1574.014] Hijack Execution Flow: AppDomainManager

Current version: 1.0

Details
values_changed
STIX FieldOld valueNew Value
modified2024-04-18 15:03:32.158000+00:002024-04-28 15:44:25.342000+00:00
x_mitre_contributors[1]Ivy BostockIvy Drexel

[T1550.001] Use Alternate Authentication Material: Application Access Token

Current version: 1.6

Details
values_changed
STIX FieldOld valueNew Value
modified2024-04-12 21:18:28.848000+00:002024-04-28 15:43:18.080000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsPawel Partyka, Microsoft Threat Intelligence

[T1059.010] Command and Scripting Interpreter: AutoHotKey & AutoIT

Current version: 1.0

+ + + + + + + + + + + + + + + + + + + + + + +

Old Description
New Description
t1Adversaries may execute commands and perform malicious taskst1Adversaries may execute commands and perform malicious tasks
> using AutoIT and AutoHotKey automation scripts. AutoIT and > using AutoIT and AutoHotKey automation scripts. AutoIT and 
>AutoHotkey (AHK) are scripting languages that enable users t>AutoHotkey (AHK) are scripting languages that enable users t
>o automate Windows tasks. These automation scripts can be us>o automate Windows tasks. These automation scripts can be us
>ed to perform a wide variety of actions, such as clicking on>ed to perform a wide variety of actions, such as clicking on
> buttons, entering text, and opening and closing programs.(C> buttons, entering text, and opening and closing programs.(C
>itation: AutoIT)(Citation: AutoHotKey)  Adversaries may use >itation: AutoIT)(Citation: AutoHotKey)  Adversaries may use 
>AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute maliciou>AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute maliciou
>s code on a victim's system. For example, adversaries have u>s code on a victim's system. For example, adversaries have u
>sed for AHK to execute payloads and other modular malware su>sed for AHK to execute payloads and other modular malware su
>ch as keyloggers. Adversaries have also used custom AHK file>ch as keyloggers. Adversaries have also used custom AHK file
>s containing embedded malware as [Phishing](https://attack.m>s containing embedded malware as [Phishing](https://attack.m
>itre.org/techniques/T1566) payloads.(Citation: Splunk DarkGa>itre.org/techniques/T1566) payloads.(Citation: Splunk DarkGa
>te)  These scripts may also be compiled into self-contained >te)  These scripts may also be compiled into self-contained 
>exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: Au>executable payloads (`.exe`).(Citation: AutoIT)(Citation: Au
>toHotKey)>toHotKey)
Details
values_changed
STIX FieldOld valueNew Value
modified2024-04-10 16:05:22.456000+00:002024-04-28 15:58:48.119000+00:00
descriptionAdversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey) + +Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate) + +These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey) + +Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate) + +These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
x_mitre_contributors[4]Monty@_montysecurity

[T1574.001] Hijack Execution Flow: DLL Search Order Hijacking

Current version: 1.2

Details
values_changed
STIX FieldOld valueNew Value
modified2024-04-18 22:54:54.668000+00:002024-04-28 15:51:58.945000+00:00
x_mitre_contributors[3]Will AlexanderAmi Holeston, CrowdStrike
x_mitre_contributors[4]Ami HolestonWill Alexander, CrowdStrike

[T1583.001] Acquire Infrastructure: Domains

Current version: 1.3

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Old Description
New Description
t1Adversaries may acquire domains that can be used during targt1Adversaries may acquire domains that can be used during targ
>eting. Domain names are the human readable names used to rep>eting. Domain names are the human readable names used to rep
>resent one or more IP addresses. They can be purchased or, i>resent one or more IP addresses. They can be purchased or, i
>n some cases, acquired for free.  Adversaries may use acquir>n some cases, acquired for free.  Adversaries may use acquir
>ed domains for a variety of purposes, including for [Phishin>ed domains for a variety of purposes, including for [Phishin
>g](https://attack.mitre.org/techniques/T1566), [Drive-by Com>g](https://attack.mitre.org/techniques/T1566), [Drive-by Com
>promise](https://attack.mitre.org/techniques/T1189), and Com>promise](https://attack.mitre.org/techniques/T1189), and Com
>mand and Control.(Citation: CISA MSS Sep 2020) Adversaries m>mand and Control.(Citation: CISA MSS Sep 2020) Adversaries m
>ay choose domains that are similar to legitimate domains, in>ay choose domains that are similar to legitimate domains, in
>cluding through use of homoglyphs or use of a different top->cluding through use of homoglyphs or use of a different top-
>level domain (TLD).(Citation: FireEye APT28)(Citation: Paypa>level domain (TLD).(Citation: FireEye APT28)(Citation: Paypa
>lScam) Typosquatting may be used to aid in delivery of paylo>lScam) Typosquatting may be used to aid in delivery of paylo
>ads via [Drive-by Compromise](https://attack.mitre.org/techn>ads via [Drive-by Compromise](https://attack.mitre.org/techn
>iques/T1189). Adversaries may also use internationalized dom>iques/T1189). Adversaries may also use internationalized dom
>ain names (IDNs) and different character sets (e.g. Cyrillic>ain names (IDNs) and different character sets (e.g. Cyrillic
>, Greek, etc.) to execute "IDN homograph attacks," creating >, Greek, etc.) to execute "IDN homograph attacks," creating 
>visually similar lookalike domains used to deliver malware t>visually similar lookalike domains used to deliver malware t
>o victim machines.(Citation: CISA IDN ST05-016)(Citation: tt>o victim machines.(Citation: CISA IDN ST05-016)(Citation: tt
>_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: ht>_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: ht
>track_unhcr)(Citation: lazgroup_idn_phishing) Different URIs>track_unhcr)(Citation: lazgroup_idn_phishing)  Different URI
>/URLs may also be dynamically generated to uniquely serve ma>s/URLs may also be dynamically generated to uniquely serve m
>licious content to victims.(Citation: iOS URL Scheme)(Citati>alicious content to victims (including one-time, single use 
>on: URI)(Citation: URI Use)(Citation: URI Unique)  Adversari>domain names).(Citation: iOS URL Scheme)(Citation: URI)(Cita
>es may also acquire and repurpose expired domains, which may>tion: URI Use)(Citation: URI Unique)  Adversaries may also a
> be potentially already allowlisted/trusted by defenders bas>cquire and repurpose expired domains, which may be potential
>ed on an existing reputation/history.(Citation: Categorisati>ly already allowlisted/trusted by defenders based on an exis
>on_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redire>ting reputation/history.(Citation: Categorisation_not_bounda
>ctors_Domain_Fronting)(Citation: bypass_webproxy_filtering) >ry)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_
> Domain registrars each maintain a publicly viewable databas>Fronting)(Citation: bypass_webproxy_filtering)  Domain regis
>e that displays contact information for every registered dom>trars each maintain a publicly viewable database that displa
>ain. Private WHOIS services display alternative information,>ys contact information for every registered domain. Private 
> such as their own company data, rather than the owner of th>WHOIS services display alternative information, such as thei
>e domain. Adversaries may use such private WHOIS services to>r own company data, rather than the owner of the domain. Adv
> obscure information about who owns a purchased domain. Adve>ersaries may use such private WHOIS services to obscure info
>rsaries may further interrupt efforts to track their infrast>rmation about who owns a purchased domain. Adversaries may f
>ructure by using varied registration information and purchas>urther interrupt efforts to track their infrastructure by us
>ing domains with different domain registrars.(Citation: Mand>ing varied registration information and purchasing domains w
>iant APT1)>ith different domain registrars.(Citation: Mandiant APT1)
Details
values_changed
STIX FieldOld valueNew Value
modified2024-04-13 14:03:04.511000+00:002024-04-28 15:55:55.068000+00:00
descriptionAdversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. + +Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) + +Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering) + +Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. + +Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) + +Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) + +Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering) + +Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)

[T1546.016] Event Triggered Execution: Installer Packages

Current version: 1.1

Details
values_changed
STIX FieldOld valueNew Value
modified2024-04-12 02:23:44.583000+00:002024-04-28 15:52:44.332000+00:00
x_mitre_contributors[1]Alexander RodchenkoRodchenko Aleksandr

[T1608.005] Stage Capabilities: Link Target

Current version: 1.4

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Old Description
New Description
t1Adversaries may put in place resources that are referenced bt1Adversaries may put in place resources that are referenced b
>y a link that can be used during targeting. An adversary may>y a link that can be used during targeting. An adversary may
> rely upon a user clicking a malicious link in order to divu> rely upon a user clicking a malicious link in order to divu
>lge information (including credentials) or to gain execution>lge information (including credentials) or to gain execution
>, as in [Malicious Link](https://attack.mitre.org/techniques>, as in [Malicious Link](https://attack.mitre.org/techniques
>/T1204/001). Links can be used for spearphishing, such as se>/T1204/001). Links can be used for spearphishing, such as se
>nding an email accompanied by social engineering text to coa>nding an email accompanied by social engineering text to coa
>x the user to actively click or copy and paste a URL into a >x the user to actively click or copy and paste a URL into a 
>browser. Prior to a phish for information (as in [Spearphish>browser. Prior to a phish for information (as in [Spearphish
>ing Link](https://attack.mitre.org/techniques/T1598/003)) or>ing Link](https://attack.mitre.org/techniques/T1598/003)) or
> a phish to gain initial access to a system (as in [Spearphi> a phish to gain initial access to a system (as in [Spearphi
>shing Link](https://attack.mitre.org/techniques/T1566/002)),>shing Link](https://attack.mitre.org/techniques/T1566/002)),
> an adversary must set up the resources for a link target fo> an adversary must set up the resources for a link target fo
>r the spearphishing link.   Typically, the resources for a l>r the spearphishing link.   Typically, the resources for a l
>ink target will be an HTML page that may include some client>ink target will be an HTML page that may include some client
>-side script such as [JavaScript](https://attack.mitre.org/t>-side script such as [JavaScript](https://attack.mitre.org/t
>echniques/T1059/007) to decide what content to serve to the >echniques/T1059/007) to decide what content to serve to the 
>user. Adversaries may clone legitimate sites to serve as the>user. Adversaries may clone legitimate sites to serve as the
> link target, this can include cloning of login pages of leg> link target, this can include cloning of login pages of leg
>itimate web services or organization login pages in an effor>itimate web services or organization login pages in an effor
>t to harvest credentials during [Spearphishing Link](https:/>t to harvest credentials during [Spearphishing Link](https:/
>/attack.mitre.org/techniques/T1598/003).(Citation: Malwareby>/attack.mitre.org/techniques/T1598/003).(Citation: Malwareby
>tes Silent Librarian October 2020)(Citation: Proofpoint TA40>tes Silent Librarian October 2020)(Citation: Proofpoint TA40
>7 September 2019) Adversaries may also [Upload Malware](http>7 September 2019) Adversaries may also [Upload Malware](http
>s://attack.mitre.org/techniques/T1608/001) and have the link>s://attack.mitre.org/techniques/T1608/001) and have the link
> target point to malware for download/execution by the user.> target point to malware for download/execution by the user.
>  Adversaries may purchase domains similar to legitimate dom>  Adversaries may purchase domains similar to legitimate dom
>ains (ex: homoglyphs, typosquatting, different top-level dom>ains (ex: homoglyphs, typosquatting, different top-level dom
>ain, etc.) during acquisition of infrastructure ([Domains](h>ain, etc.) during acquisition of infrastructure ([Domains](h
>ttps://attack.mitre.org/techniques/T1583/001)) to help facil>ttps://attack.mitre.org/techniques/T1583/001)) to help facil
>itate [Malicious Link](https://attack.mitre.org/techniques/T>itate [Malicious Link](https://attack.mitre.org/techniques/T
>1204/001).  Links can be written by adversaries to mask the >1204/001).  Links can be written by adversaries to mask the 
>true destination in order to deceive victims by abusing the >true destination in order to deceive victims by abusing the 
>URL schema and increasing the effectiveness of phishing.(Cit>URL schema and increasing the effectiveness of phishing.(Cit
>ation: Kaspersky-masking)(Citation: mandiant-masking)  Adver>ation: Kaspersky-masking)(Citation: mandiant-masking)  Adver
>saries may also use free or paid accounts on link shortening>saries may also use free or paid accounts on link shortening
> services and Platform-as-a-Service providers to host link t> services and Platform-as-a-Service providers to host link t
>argets while taking advantage of the widely trusted domains >argets while taking advantage of the widely trusted domains 
>of those providers to avoid being blocked while redirecting >of those providers to avoid being blocked while redirecting 
>victims to malicious pages.(Citation: Netskope GCP Redirecti>victims to malicious pages.(Citation: Netskope GCP Redirecti
>on)(Citation: Netskope Cloud Phishing)(Citation: Intezer App>on)(Citation: Netskope Cloud Phishing)(Citation: Intezer App
> Service Phishing)(Citation: Cofense-redirect) In addition, > Service Phishing)(Citation: Cofense-redirect) In addition, 
>adversaries may serve a variety of malicious links through u>adversaries may serve a variety of malicious links through u
>niquely generated URIs/URLs.(Citation: iOS URL Scheme)(Citat>niquely generated URIs/URLs (including one-time, single use 
>ion: URI)(Citation: URI Use)(Citation: URI Unique) Finally, >links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: U
>adversaries may take advantage of the decentralized nature o>RI Use)(Citation: URI Unique) Finally, adversaries may take 
>f the InterPlanetary File System (IPFS) to host link targets>advantage of the decentralized nature of the InterPlanetary 
> that are difficult to remove.(Citation: Talos IPFS 2022)>File System (IPFS) to host link targets that are difficult t
 >o remove.(Citation: Talos IPFS 2022)
Details
values_changed
STIX FieldOld valueNew Value
modified2024-04-13 14:03:24.673000+00:002024-04-28 15:57:26.842000+00:00
descriptionAdversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. + +Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. + +Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). + +Links can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking) + +Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. + +Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. + +Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). + +Links can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking) + +Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs (including one-time, single use links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)

[T1550] Use Alternate Authentication Material

Current version: 1.3

Details
values_changed
STIX FieldOld valueNew Value
modified2024-04-12 21:18:23.798000+00:002024-04-28 15:43:30.271000+00:00
iterable_item_added
STIX FieldOld valueNew Value
x_mitre_contributorsPawel Partyka, Microsoft Threat Intelligence

Software

enterprise-attack

Patches

[S0016] P2P ZeuS

Current version: 1.1

Details
dictionary_item_added
STIX FieldOld valueNew Value
x_mitre_deprecatedFalse
values_changed
STIX FieldOld valueNew Value
modified2020-03-30 17:14:31.945000+00:002024-04-24 19:08:50.637000+00:00
external_references[1]['description']SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.SecureWorks. (2012). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.
external_references[1]['url']http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/https://www.secureworks.com/research/The-Lifecycle-of-Peer-to-Peer-Gameover-ZeuS
x_mitre_attack_spec_version2.1.03.2.0
+ + + \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v15.0-v15.1/changelog.json b/modules/resources/docs/changelogs/v15.0-v15.1/changelog.json new file mode 100644 index 00000000000..707387b794a --- /dev/null +++ b/modules/resources/docs/changelogs/v15.0-v15.1/changelog.json @@ -0,0 +1,1230 @@ +{ + "enterprise-attack": { + "techniques": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "attack-pattern", + "id": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-30 17:09:31.878000+00:00", + "modified": "2024-04-28 15:55:55.068000+00:00", + "name": "Domains", + "description": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \"IDN homograph attacks,\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)\n\nDifferent URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)\n\nAdversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1583/001", + "external_id": "T1583.001" + }, + { + "source_name": "URI Unique", + "description": "Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.", + "url": "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF" + }, + { + "source_name": "PaypalScam", + "description": "Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.", + "url": "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/" + }, + { + "source_name": "CISA IDN ST05-016", + "description": "CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.", + "url": "https://us-cert.cisa.gov/ncas/tips/ST05-016" + }, + { + "source_name": "CISA MSS Sep 2020", + "description": "CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-258a" + }, + { + "source_name": "bypass_webproxy_filtering", + "description": "Fehrman, B. (2017, April 13). How to Bypass Web-Proxy Filtering. Retrieved September 20, 2019.", + "url": "https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/" + }, + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + }, + { + "source_name": "Domain_Steal_CC", + "description": "Krebs, B. (2018, November 13). That Domain You Forgot to Renew? Yeah, it\u2019s Now Stealing Credit Cards. Retrieved September 20, 2019.", + "url": "https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/" + }, + { + "source_name": "tt_obliqueRAT", + "description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.", + "url": "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" + }, + { + "source_name": "tt_httrack_fake_domains", + "description": "Malhotra, A., Thattil, J. et al. (2022, March 29). Transparent Tribe campaign uses new bespoke malware to target Indian government officials . Retrieved September 6, 2022.", + "url": "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + }, + { + "source_name": "Categorisation_not_boundary", + "description": "MDSec Research. (2017, July). Categorisation is not a Security Boundary. Retrieved September 20, 2019.", + "url": "https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/" + }, + { + "source_name": "URI", + "description": "Michael Cobb. (2007, October 11). Preparing for uniform resource identifier (URI) exploits. Retrieved February 9, 2024.", + "url": "https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits" + }, + { + "source_name": "Redirectors_Domain_Fronting", + "description": "Mudge, R. (2017, February 6). High-reputation Redirectors and Domain Fronting. Retrieved July 11, 2022.", + "url": "https://www.cobaltstrike.com/blog/high-reputation-redirectors-and-domain-fronting/" + }, + { + "source_name": "URI Use", + "description": "Nathan McFeters. Billy Kim Rios. Rob Carter.. (2008). URI Use and Abuse. Retrieved February 9, 2024.", + "url": "https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf" + }, + { + "source_name": "iOS URL Scheme", + "description": "Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.", + "url": "https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html" + }, + { + "source_name": "lazgroup_idn_phishing", + "description": "RISKIQ. (2017, December 20). Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry. Retrieved July 29, 2022.", + "url": "https://web.archive.org/web/20171223000420/https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/" + }, + { + "source_name": "httrack_unhcr", + "description": "RISKIQ. (2022, March 15). RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure. Retrieved July 29, 2022.", + "url": "https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/" + }, + { + "source_name": "ThreatConnect Infrastructure Dec 2020", + "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.", + "url": "https://threatconnect.com/blog/infrastructure-research-hunting/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Wes Hurd", + "Vinayak Wadhwa, Lucideus", + "Deloitte Threat Library Team", + "Oleg Kolesnikov, Securonix", + "Menachem Goldstein", + "Nikola Kovac" + ], + "x_mitre_data_sources": [ + "Domain Name: Passive DNS", + "Domain Name: Domain Registration", + "Domain Name: Active DNS" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-04-28 15:55:55.068000+00:00\", \"old_value\": \"2024-04-13 14:03:04.511000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\\n\\nAdversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \\\"IDN homograph attacks,\\\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)\\n\\nDifferent URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)\\n\\nAdversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\\n\\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)\", \"old_value\": \"Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\\n\\nAdversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \\\"IDN homograph attacks,\\\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)\\n\\nAdversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\\n\\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,8 @@\\n Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\\n \\n-Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \\\"IDN homograph attacks,\\\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)\\n+Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \\\"IDN homograph attacks,\\\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)\\n+\\n+Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)\\n \\n Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\\n \"}}}", + "previous_version": "1.3", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may acquire domains that can be used during targt1Adversaries may acquire domains that can be used during targ
>eting. Domain names are the human readable names used to rep>eting. Domain names are the human readable names used to rep
>resent one or more IP addresses. They can be purchased or, i>resent one or more IP addresses. They can be purchased or, i
>n some cases, acquired for free.  Adversaries may use acquir>n some cases, acquired for free.  Adversaries may use acquir
>ed domains for a variety of purposes, including for [Phishin>ed domains for a variety of purposes, including for [Phishin
>g](https://attack.mitre.org/techniques/T1566), [Drive-by Com>g](https://attack.mitre.org/techniques/T1566), [Drive-by Com
>promise](https://attack.mitre.org/techniques/T1189), and Com>promise](https://attack.mitre.org/techniques/T1189), and Com
>mand and Control.(Citation: CISA MSS Sep 2020) Adversaries m>mand and Control.(Citation: CISA MSS Sep 2020) Adversaries m
>ay choose domains that are similar to legitimate domains, in>ay choose domains that are similar to legitimate domains, in
>cluding through use of homoglyphs or use of a different top->cluding through use of homoglyphs or use of a different top-
>level domain (TLD).(Citation: FireEye APT28)(Citation: Paypa>level domain (TLD).(Citation: FireEye APT28)(Citation: Paypa
>lScam) Typosquatting may be used to aid in delivery of paylo>lScam) Typosquatting may be used to aid in delivery of paylo
>ads via [Drive-by Compromise](https://attack.mitre.org/techn>ads via [Drive-by Compromise](https://attack.mitre.org/techn
>iques/T1189). Adversaries may also use internationalized dom>iques/T1189). Adversaries may also use internationalized dom
>ain names (IDNs) and different character sets (e.g. Cyrillic>ain names (IDNs) and different character sets (e.g. Cyrillic
>, Greek, etc.) to execute \"IDN homograph attacks,\" creating >, Greek, etc.) to execute \"IDN homograph attacks,\" creating 
>visually similar lookalike domains used to deliver malware t>visually similar lookalike domains used to deliver malware t
>o victim machines.(Citation: CISA IDN ST05-016)(Citation: tt>o victim machines.(Citation: CISA IDN ST05-016)(Citation: tt
>_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: ht>_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: ht
>track_unhcr)(Citation: lazgroup_idn_phishing) Different URIs>track_unhcr)(Citation: lazgroup_idn_phishing)  Different URI
>/URLs may also be dynamically generated to uniquely serve ma>s/URLs may also be dynamically generated to uniquely serve m
>licious content to victims.(Citation: iOS URL Scheme)(Citati>alicious content to victims (including one-time, single use 
>on: URI)(Citation: URI Use)(Citation: URI Unique)  Adversari>domain names).(Citation: iOS URL Scheme)(Citation: URI)(Cita
>es may also acquire and repurpose expired domains, which may>tion: URI Use)(Citation: URI Unique)  Adversaries may also a
> be potentially already allowlisted/trusted by defenders bas>cquire and repurpose expired domains, which may be potential
>ed on an existing reputation/history.(Citation: Categorisati>ly already allowlisted/trusted by defenders based on an exis
>on_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redire>ting reputation/history.(Citation: Categorisation_not_bounda
>ctors_Domain_Fronting)(Citation: bypass_webproxy_filtering) >ry)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_
> Domain registrars each maintain a publicly viewable databas>Fronting)(Citation: bypass_webproxy_filtering)  Domain regis
>e that displays contact information for every registered dom>trars each maintain a publicly viewable database that displa
>ain. Private WHOIS services display alternative information,>ys contact information for every registered domain. Private 
> such as their own company data, rather than the owner of th>WHOIS services display alternative information, such as thei
>e domain. Adversaries may use such private WHOIS services to>r own company data, rather than the owner of the domain. Adv
> obscure information about who owns a purchased domain. Adve>ersaries may use such private WHOIS services to obscure info
>rsaries may further interrupt efforts to track their infrast>rmation about who owns a purchased domain. Adversaries may f
>ructure by using varied registration information and purchas>urther interrupt efforts to track their infrastructure by us
>ing domains with different domain registrars.(Citation: Mand>ing varied registration information and purchasing domains w
>iant APT1)>ith different domain registrars.(Citation: Mandiant APT1)
", + "changelog_mitigations": { + "shared": [ + "M1056: Pre-compromise" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0038: Domain Name (Active DNS)", + "DS0038: Domain Name (Domain Registration)", + "DS0038: Domain Name (Passive DNS)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2024-03-29 18:07:04.743000+00:00", + "modified": "2024-04-28 15:58:48.119000+00:00", + "name": "AutoHotKey & AutoIT", + "description": "Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)\n\nAdversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)\n\nThese scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1059/010", + "external_id": "T1059.010" + }, + { + "source_name": "AutoHotKey", + "description": "AutoHotkey Foundation LLC. (n.d.). Using the Program. Retrieved March 29, 2024.", + "url": "https://www.autohotkey.com/docs/v1/Program.htm" + }, + { + "source_name": "AutoIT", + "description": "AutoIT. (n.d.). Running Scripts. Retrieved March 29, 2024.", + "url": "https://www.autoitscript.com/autoit3/docs/intro/running.htm" + }, + { + "source_name": "Splunk DarkGate", + "description": "Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024.", + "url": "https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "TruKno", + "Liran Ravich, CardinalOps", + "Serhii Melnyk, Trustwave SpiderLabs", + "Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International", + "@_montysecurity" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_remote_support": false, + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-04-28 15:58:48.119000+00:00\", \"old_value\": \"2024-04-10 16:05:22.456000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)\\n\\nAdversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)\\n\\nThese scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)\", \"old_value\": \"Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)\\n\\nAdversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)\\n\\nThese scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)\\n \\n-These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)\\n+These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)\"}, \"root['x_mitre_contributors'][4]\": {\"new_value\": \"@_montysecurity\", \"old_value\": \"Monty\"}}}", + "previous_version": "1.0", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may execute commands and perform malicious taskst1Adversaries may execute commands and perform malicious tasks
> using AutoIT and AutoHotKey automation scripts. AutoIT and > using AutoIT and AutoHotKey automation scripts. AutoIT and 
>AutoHotkey (AHK) are scripting languages that enable users t>AutoHotkey (AHK) are scripting languages that enable users t
>o automate Windows tasks. These automation scripts can be us>o automate Windows tasks. These automation scripts can be us
>ed to perform a wide variety of actions, such as clicking on>ed to perform a wide variety of actions, such as clicking on
> buttons, entering text, and opening and closing programs.(C> buttons, entering text, and opening and closing programs.(C
>itation: AutoIT)(Citation: AutoHotKey)  Adversaries may use >itation: AutoIT)(Citation: AutoHotKey)  Adversaries may use 
>AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute maliciou>AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute maliciou
>s code on a victim's system. For example, adversaries have u>s code on a victim's system. For example, adversaries have u
>sed for AHK to execute payloads and other modular malware su>sed for AHK to execute payloads and other modular malware su
>ch as keyloggers. Adversaries have also used custom AHK file>ch as keyloggers. Adversaries have also used custom AHK file
>s containing embedded malware as [Phishing](https://attack.m>s containing embedded malware as [Phishing](https://attack.m
>itre.org/techniques/T1566) payloads.(Citation: Splunk DarkGa>itre.org/techniques/T1566) payloads.(Citation: Splunk DarkGa
>te)  These scripts may also be compiled into self-contained >te)  These scripts may also be compiled into self-contained 
>exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: Au>executable payloads (`.exe`).(Citation: AutoIT)(Citation: Au
>toHotKey)>toHotKey)
", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--da051493-ae9c-4b1b-9760-c009c46c9b56", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2022-09-27 18:02:16.026000+00:00", + "modified": "2024-04-28 15:52:44.332000+00:00", + "name": "Installer Packages", + "description": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)\n\nUsing legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)\n\nDepending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed.\n\nFor Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. These installation routines may also include instructions to perform additional actions that may be abused by adversaries.(Citation: Microsoft Installation Procedures)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1546/016", + "external_id": "T1546.016" + }, + { + "source_name": "Application Bundle Manipulation Brandon Dalton", + "description": "Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.", + "url": "https://redcanary.com/blog/mac-application-bundles/" + }, + { + "source_name": "Debian Manual Maintainer Scripts", + "description": "Debian Policy Manual v4.6.1.1. (2022, August 14). Package maintainer scripts and installation procedure. Retrieved September 27, 2022.", + "url": "https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-mscriptsinstact" + }, + { + "source_name": "Windows AppleJeus GReAT", + "description": "Global Research & Analysis Team, Kaspersky Lab (GReAT). (2018, August 23). Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware. Retrieved September 27, 2022.", + "url": "https://securelist.com/operation-applejeus/87553/" + }, + { + "source_name": "Microsoft Installation Procedures", + "description": "Microsoft. (2021, January 7). Installation Procedure Tables Group. Retrieved December 27, 2023.", + "url": "https://learn.microsoft.com/windows/win32/msi/installation-procedure-tables-group" + }, + { + "source_name": "wardle evilquest parti", + "description": "Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.", + "url": "https://objective-see.com/blog/blog_0x59.html" + }, + { + "source_name": "Installer Package Scripting Rich Trouton", + "description": "Rich Trouton. (2019, August 9). Installer Package Scripting: Making your deployments easier, one ! at a time. Retrieved September 27, 2022.", + "url": "https://cpb-us-e1.wpmucdn.com/sites.psu.edu/dist/4/24696/files/2019/07/psumac2019-345-Installer-Package-Scripting-Making-your-deployments-easier-one-at-a-time.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Brandon Dalton @PartyD0lphin", + "Rodchenko Aleksandr" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_effective_permissions": [ + "root" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-04-28 15:52:44.332000+00:00\", \"old_value\": \"2024-04-12 02:23:44.583000+00:00\"}, \"root['x_mitre_contributors'][1]\": {\"new_value\": \"Rodchenko Aleksandr\", \"old_value\": \"Alexander Rodchenko\"}}}", + "previous_version": "1.1", + "changelog_mitigations": { + "shared": [], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0017: Command (Command Execution)", + "DS0022: File (File Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2024-03-28 15:36:34.141000+00:00", + "modified": "2024-04-28 15:44:25.342000+00:00", + "name": "AppDomainManager", + "description": "Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains) \n\nKnown as \"AppDomainManager injection,\" adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (`.config`) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1574/014", + "external_id": "T1574.014" + }, + { + "source_name": "PenTestLabs AppDomainManagerInject", + "description": "Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND DETECTION. Retrieved March 28, 2024.", + "url": "https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/" + }, + { + "source_name": "Microsoft App Domains", + "description": "Microsoft. (2021, September 15). Application domains. Retrieved March 28, 2024.", + "url": "https://learn.microsoft.com/dotnet/framework/app-domains/application-domains" + }, + { + "source_name": "PwC Yellow Liderc", + "description": "PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.", + "url": "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" + }, + { + "source_name": "Rapid7 AppDomain Manager Injection", + "description": "Spagnola, N. (2023, May 5). AppDomain Manager Injection: New Techniques For Red Teams. Retrieved March 29, 2024.", + "url": "https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Thomas B", + "Ivy Drexel" + ], + "x_mitre_data_sources": [ + "Module: Module Load", + "File: File Creation", + "Process: Process Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-04-28 15:44:25.342000+00:00\", \"old_value\": \"2024-04-18 15:03:32.158000+00:00\"}, \"root['x_mitre_contributors'][1]\": {\"new_value\": \"Ivy Drexel\", \"old_value\": \"Ivy Bostock\"}}}", + "previous_version": "1.0", + "changelog_mitigations": { + "shared": [ + "M1022: Restrict File and Directory Permissions" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0009: Process (Process Creation)", + "DS0011: Module (Module Load)", + "DS0022: File (File Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-03-13 18:11:08.357000+00:00", + "modified": "2024-04-28 15:51:58.945000+00:00", + "name": "DLL Search Order Hijacking", + "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nPhantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1574/001", + "external_id": "T1574.001" + }, + { + "source_name": "Adversaries Hijack DLLs", + "description": "CrowdStrike, Falcon OverWatch Team. (2022, December 30). Retrieved October 19, 2023.", + "url": "https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/" + }, + { + "source_name": "FireEye Hijacking July 2010", + "description": "Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html" + }, + { + "source_name": "FireEye fxsst June 2011", + "description": "Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html" + }, + { + "source_name": "Microsoft Security Advisory 2269637", + "description": "Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020.", + "url": "https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637" + }, + { + "source_name": "Microsoft Dynamic-Link Library Redirection", + "description": "Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020.", + "url": "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN" + }, + { + "source_name": "Microsoft Dynamic Link Library Search Order", + "description": "Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", + "url": "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN" + }, + { + "source_name": "Microsoft Manifests", + "description": "Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.", + "url": "https://msdn.microsoft.com/en-US/library/aa375365" + }, + { + "source_name": "FireEye DLL Search Order Hijacking", + "description": "Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html" + }, + { + "source_name": "OWASP Binary Planting", + "description": "OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.", + "url": "https://www.owasp.org/index.php/Binary_planting" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Travis Smith, Tripwire", + "Stefan Kanthak", + "Marina Liang", + "Ami Holeston, CrowdStrike", + "Will Alexander, CrowdStrike" + ], + "x_mitre_data_sources": [ + "File: File Modification", + "Module: Module Load", + "File: File Creation" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of `.manifest` and `.local` redirection files that do not correlate with software updates are suspicious.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.2", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-04-28 15:51:58.945000+00:00\", \"old_value\": \"2024-04-18 22:54:54.668000+00:00\"}, \"root['x_mitre_contributors'][3]\": {\"new_value\": \"Ami Holeston, CrowdStrike\", \"old_value\": \"Will Alexander\"}, \"root['x_mitre_contributors'][4]\": {\"new_value\": \"Will Alexander, CrowdStrike\", \"old_value\": \"Ami Holeston\"}}}", + "previous_version": "1.2", + "changelog_mitigations": { + "shared": [ + "M1038: Execution Prevention", + "M1044: Restrict Library Loading", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0011: Module (Module Load)", + "DS0022: File (File Creation)", + "DS0022: File (File Modification)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--84ae8255-b4f4-4237-b5c5-e717405a9701", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-03-17 20:35:08.429000+00:00", + "modified": "2024-04-28 15:57:26.842000+00:00", + "name": "Link Target", + "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \n\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001).\n\nLinks can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking)\n\nAdversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs (including one-time, single use links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1608/005", + "external_id": "T1608.005" + }, + { + "source_name": "Netskope GCP Redirection", + "description": "Ashwin Vamshi. (2019, January 24). Targeted Attacks Abusing Google Cloud Platform Open Redirection. Retrieved August 18, 2022.", + "url": "https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection" + }, + { + "source_name": "Netskope Cloud Phishing", + "description": "Ashwin Vamshi. (2020, August 12). A Big Catch: Cloud Phishing from Google App Engine and Azure App Service. Retrieved August 18, 2022.", + "url": "https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service" + }, + { + "source_name": "URI Unique", + "description": "Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.", + "url": "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF" + }, + { + "source_name": "Kaspersky-masking", + "description": "Dedenok, Roman. (2023, December 12). How cybercriminals disguise URLs. Retrieved January 17, 2024.", + "url": "https://www.kaspersky.com/blog/malicious-redirect-methods/50045/" + }, + { + "source_name": "Talos IPFS 2022", + "description": "Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023.", + "url": "https://blog.talosintelligence.com/ipfs-abuse/" + }, + { + "source_name": "Malwarebytes Silent Librarian October 2020", + "description": "Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.", + "url": "https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/" + }, + { + "source_name": "URI", + "description": "Michael Cobb. (2007, October 11). Preparing for uniform resource identifier (URI) exploits. Retrieved February 9, 2024.", + "url": "https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits" + }, + { + "source_name": "URI Use", + "description": "Nathan McFeters. Billy Kim Rios. Rob Carter.. (2008). URI Use and Abuse. Retrieved February 9, 2024.", + "url": "https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf" + }, + { + "source_name": "iOS URL Scheme", + "description": "Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.", + "url": "https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html" + }, + { + "source_name": "Intezer App Service Phishing", + "description": "Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022.", + "url": "https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/" + }, + { + "source_name": "Proofpoint TA407 September 2019", + "description": "Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.", + "url": "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian" + }, + { + "source_name": "Cofense-redirect", + "description": "Raymond, Nathaniel. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved January 17, 2024.", + "url": "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/" + }, + { + "source_name": "mandiant-masking", + "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", + "url": "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Goldstein Menachem", + "Hen Porcilan", + "Diyar Saadi Ali", + "Nikola Kovac" + ], + "x_mitre_data_sources": [ + "Internet Scan: Response Content" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "If infrastructure or patterns in malicious web content have been previously identified, internet scanning may uncover when an adversary has staged web content to make it accessible for targeting.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003), [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002), or [Malicious Link](https://attack.mitre.org/techniques/T1204/001).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_version": "1.4", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-04-28 15:57:26.842000+00:00\", \"old_value\": \"2024-04-13 14:03:24.673000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \\n\\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\\n\\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001).\\n\\nLinks can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking)\\n\\nAdversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs (including one-time, single use links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)\", \"old_value\": \"Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \\n\\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\\n\\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001).\\n\\nLinks can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking)\\n\\nAdversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)\", \"diff\": \"--- \\n+++ \\n@@ -6,4 +6,4 @@\\n \\n Links can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking)\\n \\n-Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)\\n+Adversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs (including one-time, single use links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)\"}}}", + "previous_version": "1.4", + "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Adversaries may put in place resources that are referenced bt1Adversaries may put in place resources that are referenced b
>y a link that can be used during targeting. An adversary may>y a link that can be used during targeting. An adversary may
> rely upon a user clicking a malicious link in order to divu> rely upon a user clicking a malicious link in order to divu
>lge information (including credentials) or to gain execution>lge information (including credentials) or to gain execution
>, as in [Malicious Link](https://attack.mitre.org/techniques>, as in [Malicious Link](https://attack.mitre.org/techniques
>/T1204/001). Links can be used for spearphishing, such as se>/T1204/001). Links can be used for spearphishing, such as se
>nding an email accompanied by social engineering text to coa>nding an email accompanied by social engineering text to coa
>x the user to actively click or copy and paste a URL into a >x the user to actively click or copy and paste a URL into a 
>browser. Prior to a phish for information (as in [Spearphish>browser. Prior to a phish for information (as in [Spearphish
>ing Link](https://attack.mitre.org/techniques/T1598/003)) or>ing Link](https://attack.mitre.org/techniques/T1598/003)) or
> a phish to gain initial access to a system (as in [Spearphi> a phish to gain initial access to a system (as in [Spearphi
>shing Link](https://attack.mitre.org/techniques/T1566/002)),>shing Link](https://attack.mitre.org/techniques/T1566/002)),
> an adversary must set up the resources for a link target fo> an adversary must set up the resources for a link target fo
>r the spearphishing link.   Typically, the resources for a l>r the spearphishing link.   Typically, the resources for a l
>ink target will be an HTML page that may include some client>ink target will be an HTML page that may include some client
>-side script such as [JavaScript](https://attack.mitre.org/t>-side script such as [JavaScript](https://attack.mitre.org/t
>echniques/T1059/007) to decide what content to serve to the >echniques/T1059/007) to decide what content to serve to the 
>user. Adversaries may clone legitimate sites to serve as the>user. Adversaries may clone legitimate sites to serve as the
> link target, this can include cloning of login pages of leg> link target, this can include cloning of login pages of leg
>itimate web services or organization login pages in an effor>itimate web services or organization login pages in an effor
>t to harvest credentials during [Spearphishing Link](https:/>t to harvest credentials during [Spearphishing Link](https:/
>/attack.mitre.org/techniques/T1598/003).(Citation: Malwareby>/attack.mitre.org/techniques/T1598/003).(Citation: Malwareby
>tes Silent Librarian October 2020)(Citation: Proofpoint TA40>tes Silent Librarian October 2020)(Citation: Proofpoint TA40
>7 September 2019) Adversaries may also [Upload Malware](http>7 September 2019) Adversaries may also [Upload Malware](http
>s://attack.mitre.org/techniques/T1608/001) and have the link>s://attack.mitre.org/techniques/T1608/001) and have the link
> target point to malware for download/execution by the user.> target point to malware for download/execution by the user.
>  Adversaries may purchase domains similar to legitimate dom>  Adversaries may purchase domains similar to legitimate dom
>ains (ex: homoglyphs, typosquatting, different top-level dom>ains (ex: homoglyphs, typosquatting, different top-level dom
>ain, etc.) during acquisition of infrastructure ([Domains](h>ain, etc.) during acquisition of infrastructure ([Domains](h
>ttps://attack.mitre.org/techniques/T1583/001)) to help facil>ttps://attack.mitre.org/techniques/T1583/001)) to help facil
>itate [Malicious Link](https://attack.mitre.org/techniques/T>itate [Malicious Link](https://attack.mitre.org/techniques/T
>1204/001).  Links can be written by adversaries to mask the >1204/001).  Links can be written by adversaries to mask the 
>true destination in order to deceive victims by abusing the >true destination in order to deceive victims by abusing the 
>URL schema and increasing the effectiveness of phishing.(Cit>URL schema and increasing the effectiveness of phishing.(Cit
>ation: Kaspersky-masking)(Citation: mandiant-masking)  Adver>ation: Kaspersky-masking)(Citation: mandiant-masking)  Adver
>saries may also use free or paid accounts on link shortening>saries may also use free or paid accounts on link shortening
> services and Platform-as-a-Service providers to host link t> services and Platform-as-a-Service providers to host link t
>argets while taking advantage of the widely trusted domains >argets while taking advantage of the widely trusted domains 
>of those providers to avoid being blocked while redirecting >of those providers to avoid being blocked while redirecting 
>victims to malicious pages.(Citation: Netskope GCP Redirecti>victims to malicious pages.(Citation: Netskope GCP Redirecti
>on)(Citation: Netskope Cloud Phishing)(Citation: Intezer App>on)(Citation: Netskope Cloud Phishing)(Citation: Intezer App
> Service Phishing)(Citation: Cofense-redirect) In addition, > Service Phishing)(Citation: Cofense-redirect) In addition, 
>adversaries may serve a variety of malicious links through u>adversaries may serve a variety of malicious links through u
>niquely generated URIs/URLs.(Citation: iOS URL Scheme)(Citat>niquely generated URIs/URLs (including one-time, single use 
>ion: URI)(Citation: URI Use)(Citation: URI Unique) Finally, >links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: U
>adversaries may take advantage of the decentralized nature o>RI Use)(Citation: URI Unique) Finally, adversaries may take 
>f the InterPlanetary File System (IPFS) to host link targets>advantage of the decentralized nature of the InterPlanetary 
> that are difficult to remove.(Citation: Talos IPFS 2022)>File System (IPFS) to host link targets that are difficult t
 >o remove.(Citation: Talos IPFS 2022)
", + "changelog_mitigations": { + "shared": [ + "M1056: Pre-compromise" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0035: Internet Scan (Response Content)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-30 16:18:36.873000+00:00", + "modified": "2024-04-28 15:43:30.271000+00:00", + "name": "Use Alternate Authentication Material", + "description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system\u2014either in memory or on disk\u2014it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1550", + "external_id": "T1550" + }, + { + "source_name": "TechNet Audit Policy", + "description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.", + "url": "https://technet.microsoft.com/en-us/library/dn487457.aspx" + }, + { + "source_name": "NIST Authentication", + "description": "NIST. (n.d.). Authentication. Retrieved January 30, 2020.", + "url": "https://csrc.nist.gov/glossary/term/authentication" + }, + { + "source_name": "NIST MFA", + "description": "NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January 30, 2020.", + "url": "https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Blake Strom, Microsoft Threat Intelligence", + "Pawel Partyka, Microsoft Threat Intelligence" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Creation", + "Active Directory: Active Directory Credential Request", + "Web Credential: Web Credential Usage", + "User Account: User Account Authentication" + ], + "x_mitre_defense_bypassed": [ + "System Access Controls" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Office 365", + "SaaS", + "Google Workspace", + "IaaS", + "Containers" + ], + "x_mitre_version": "1.3", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-04-28 15:43:30.271000+00:00\", \"old_value\": \"2024-04-12 21:18:23.798000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][1]\": \"Pawel Partyka, Microsoft Threat Intelligence\"}}", + "previous_version": "1.3", + "changelog_mitigations": { + "shared": [ + "M1013: Application Developer Guidance", + "M1015: Active Directory Configuration", + "M1018: User Account Management", + "M1026: Privileged Account Management", + "M1027: Password Policies", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0002: User Account (User Account Authentication)", + "DS0006: Web Credential (Web Credential Usage)", + "DS0015: Application Log (Application Log Content)", + "DS0026: Active Directory (Active Directory Credential Request)", + "DS0028: Logon Session (Logon Session Creation)" + ], + "new": [], + "dropped": [] + } + }, + { + "type": "attack-pattern", + "id": "attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-01-30 17:37:22.261000+00:00", + "modified": "2024-04-28 15:43:18.080000+00:00", + "name": "Application Access Token", + "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) \n\nOAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim\u2019s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured \u2013 for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)\n\nDirect API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user\u2019s AWS API credentials may be able to use the `sts:GetFederationToken` API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1550/001", + "external_id": "T1550.001" + }, + { + "source_name": "Crowdstrike AWS User Federation Persistence", + "description": " Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023.", + "url": "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" + }, + { + "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019", + "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", + "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/" + }, + { + "source_name": "AWS Logging IAM Calls", + "description": "AWS. (n.d.). Logging IAM and AWS STS API calls with AWS CloudTrail. Retrieved April 1, 2022.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html" + }, + { + "source_name": "AWS Temporary Security Credentials", + "description": "AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html" + }, + { + "source_name": "Microsoft Identity Platform Access 2019", + "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" + }, + { + "source_name": "Google Cloud Service Account Credentials", + "description": "Google Cloud. (2022, March 31). Creating short-lived service account credentials. Retrieved April 1, 2022.", + "url": "https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials" + }, + { + "source_name": "GCP Monitoring Service Account Usage", + "description": "Google Cloud. (2022, March 31). Monitor usage patterns for service accounts and keys . Retrieved April 1, 2022.", + "url": "https://cloud.google.com/iam/docs/service-account-monitoring" + }, + { + "source_name": "okta", + "description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.", + "url": "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen" + }, + { + "source_name": "Rhino Security Labs Enumerating AWS Roles", + "description": "Spencer Gietzen. (2018, August 8). Assume the Worst: Enumerating AWS Roles through \u2018AssumeRole\u2019. Retrieved April 1, 2022.", + "url": "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration" + }, + { + "source_name": "Staaldraad Phishing with OAuth 2017", + "description": "Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.", + "url": "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_contributors": [ + "Shailesh Tiwary (Indian Army)", + "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)", + "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)", + "Mark Wee", + "Ian Davila, Tidal Cyber", + "Dylan Silva, AWS Security", + "Jack Burns, HubSpot", + "Blake Strom, Microsoft Threat Intelligence", + "Pawel Partyka, Microsoft Threat Intelligence" + ], + "x_mitre_data_sources": [ + "Web Credential: Web Credential Usage" + ], + "x_mitre_defense_bypassed": [ + "System Access Controls" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs. Additionally, administrators should review logs for calls to the AWS Security Token Service (STS) and usage of GCP service accounts in order to identify anomalous actions.(Citation: AWS Logging IAM Calls)(Citation: GCP Monitoring Service Account Usage)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Office 365", + "SaaS", + "Google Workspace", + "Containers", + "IaaS", + "Azure AD" + ], + "x_mitre_version": "1.6", + "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-04-28 15:43:18.080000+00:00\", \"old_value\": \"2024-04-12 21:18:28.848000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][8]\": \"Pawel Partyka, Microsoft Threat Intelligence\"}}", + "previous_version": "1.6", + "changelog_mitigations": { + "shared": [ + "M1013: Application Developer Guidance", + "M1021: Restrict Web-Based Content", + "M1041: Encrypt Sensitive Information", + "M1047: Audit" + ], + "new": [], + "dropped": [] + }, + "changelog_detections": { + "shared": [ + "DS0006: Web Credential (Web Credential Usage)" + ], + "new": [], + "dropped": [] + } + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "software": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [ + { + "type": "malware", + "id": "malware--b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31 21:32:16.715000+00:00", + "modified": "2024-04-24 19:08:50.637000+00:00", + "name": "P2P ZeuS", + "description": "[P2P ZeuS](https://attack.mitre.org/software/S0016) is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. (Citation: Dell P2P ZeuS)", + "revoked": false, + "labels": [ + "malware" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0016", + "external_id": "S0016" + }, + { + "source_name": "Dell P2P ZeuS", + "description": "SecureWorks. (2012). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.", + "url": "https://www.secureworks.com/research/The-Lifecycle-of-Peer-to-Peer-Gameover-ZeuS" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_aliases": [ + "P2P ZeuS", + "Peer-to-Peer ZeuS", + "Gameover ZeuS" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2024-04-24 19:08:50.637000+00:00\", \"old_value\": \"2020-03-30 17:14:31.945000+00:00\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"SecureWorks. (2012). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.\", \"old_value\": \"SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://www.secureworks.com/research/The-Lifecycle-of-Peer-to-Peer-Gameover-ZeuS\", \"old_value\": \"http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}}}", + "previous_version": "1.1" + } + ], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "groups": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "campaigns": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "assets": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "mitigations": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datasources": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datacomponents": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + } + }, + "mobile-attack": { + "techniques": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "software": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "groups": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "campaigns": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "assets": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "mitigations": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datasources": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datacomponents": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + } + }, + "ics-attack": { + "techniques": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "software": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "groups": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "campaigns": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "assets": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "mitigations": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datasources": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + }, + "datacomponents": { + "additions": [], + "major_version_changes": [], + "minor_version_changes": [], + "other_version_changes": [], + "patches": [], + "revocations": [], + "deprecations": [], + "deletions": [] + } + }, + "new-contributors": [ + "@_montysecurity", + "Ami Holeston, CrowdStrike", + "Ivy Drexel", + "Pawel Partyka, Microsoft Threat Intelligence", + "Rodchenko Aleksandr", + "Will Alexander, CrowdStrike" + ] +} \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v15.0-v15.1/layer-enterprise.json b/modules/resources/docs/changelogs/v15.0-v15.1/layer-enterprise.json new file mode 100644 index 00000000000..dbd168bb6df --- /dev/null +++ b/modules/resources/docs/changelogs/v15.0-v15.1/layer-enterprise.json @@ -0,0 +1,160 @@ +{ + "versions": { + "layer": "4.5", + "navigator": "5.0.0", + "attack": "15.1" + }, + "name": "May 2024 Enterprise Updates", + "description": "Enterprise updates for the May 2024 release of ATT&CK", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1574.014", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.014", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.014", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1550.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1550.001", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1059.010", + "tactic": "execution", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.001", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.001", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1574.001", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1583.001", + "tactic": "resource-development", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1546.016", + "tactic": "privilege-escalation", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1546.016", + "tactic": "persistence", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1608.005", + "tactic": "resource-development", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1550", + "tactic": "defense-evasion", + "enabled": true, + "color": "#B99095", + "comment": "patche" + }, + { + "techniqueID": "T1550", + "tactic": "lateral-movement", + "enabled": true, + "color": "#B99095", + "comment": "patche" + } + ], + "sorting": 0, + "hideDisabled": false, + "legendItems": [ + { + "color": "#a1d99b", + "label": "additions: ATT&CK objects which are only present in the new release." + }, + { + "color": "#fcf3a2", + "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)" + }, + { + "color": "#c7c4e0", + "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)" + }, + { + "color": "#B5E5CF", + "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)" + }, + { + "color": "#B99095", + "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)" + }, + { + "color": "#ff9000", + "label": "revocations: ATT&CK objects which are revoked by a different object." + }, + { + "color": "#ff6363", + "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced." + }, + { + "color": "#ff00e1", + "label": "deletions: ATT&CK objects which are no longer found in the STIX data." + }, + { + "color": "#ffffff", + "label": "unchanged: ATT&CK objects which did not change between the two versions." + } + ], + "showTacticRowBackground": true, + "tacticRowBackground": "#205b8f", + "selectTechniquesAcrossTactics": true +} \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v15.0-v15.1/layer-ics.json b/modules/resources/docs/changelogs/v15.0-v15.1/layer-ics.json new file mode 100644 index 00000000000..56ded21da7a --- /dev/null +++ b/modules/resources/docs/changelogs/v15.0-v15.1/layer-ics.json @@ -0,0 +1,54 @@ +{ + "versions": { + "layer": "4.5", + "navigator": "5.0.0", + "attack": "15.1" + }, + "name": "May 2024 ICS Updates", + "description": "ICS updates for the May 2024 release of ATT&CK", + "domain": "ics-attack", + "techniques": [], + "sorting": 0, + "hideDisabled": false, + "legendItems": [ + { + "color": "#a1d99b", + "label": "additions: ATT&CK objects which are only present in the new release." + }, + { + "color": "#fcf3a2", + "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)" + }, + { + "color": "#c7c4e0", + "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)" + }, + { + "color": "#B5E5CF", + "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)" + }, + { + "color": "#B99095", + "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)" + }, + { + "color": "#ff9000", + "label": "revocations: ATT&CK objects which are revoked by a different object." + }, + { + "color": "#ff6363", + "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced." + }, + { + "color": "#ff00e1", + "label": "deletions: ATT&CK objects which are no longer found in the STIX data." + }, + { + "color": "#ffffff", + "label": "unchanged: ATT&CK objects which did not change between the two versions." + } + ], + "showTacticRowBackground": true, + "tacticRowBackground": "#205b8f", + "selectTechniquesAcrossTactics": true +} \ No newline at end of file diff --git a/modules/resources/docs/changelogs/v15.0-v15.1/layer-mobile.json b/modules/resources/docs/changelogs/v15.0-v15.1/layer-mobile.json new file mode 100644 index 00000000000..48e505ad01f --- /dev/null +++ b/modules/resources/docs/changelogs/v15.0-v15.1/layer-mobile.json @@ -0,0 +1,54 @@ +{ + "versions": { + "layer": "4.5", + "navigator": "5.0.0", + "attack": "15.1" + }, + "name": "May 2024 Mobile Updates", + "description": "Mobile updates for the May 2024 release of ATT&CK", + "domain": "mobile-attack", + "techniques": [], + "sorting": 0, + "hideDisabled": false, + "legendItems": [ + { + "color": "#a1d99b", + "label": "additions: ATT&CK objects which are only present in the new release." + }, + { + "color": "#fcf3a2", + "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)" + }, + { + "color": "#c7c4e0", + "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)" + }, + { + "color": "#B5E5CF", + "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)" + }, + { + "color": "#B99095", + "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)" + }, + { + "color": "#ff9000", + "label": "revocations: ATT&CK objects which are revoked by a different object." + }, + { + "color": "#ff6363", + "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced." + }, + { + "color": "#ff00e1", + "label": "deletions: ATT&CK objects which are no longer found in the STIX data." + }, + { + "color": "#ffffff", + "label": "unchanged: ATT&CK objects which did not change between the two versions." + } + ], + "showTacticRowBackground": true, + "tacticRowBackground": "#205b8f", + "selectTechniquesAcrossTactics": true +} \ No newline at end of file diff --git a/modules/resources/static_pages/updates-april-2024.md b/modules/resources/static_pages/updates-april-2024.md index 24222731501..29a3f722027 100644 --- a/modules/resources/static_pages/updates-april-2024.md +++ b/modules/resources/static_pages/updates-april-2024.md @@ -8,7 +8,7 @@ save_as: resources/updates/updates-april-2024/index.html | Version | Start Date | End Date | Data | Changelogs | |:--------|:-----------|:---------|:-----|:-----------| -| [ATT&CK v15](/versions/v15) | April 23, 2024 | Current version of ATT&CK | [v15.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.0) | v14.1 - v15.0 [Details](/docs/changelogs/v14.1-v15.0/changelog-detailed.html) ([JSON](/docs/changelogs/v14.1-v15.0/changelog.json)) | +| [ATT&CK v15](/versions/v15) | April 23, 2024 | Current version of ATT&CK | [v15.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.0)
[v15.1 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1) | v14.1 - v15.0 [Details](/docs/changelogs/v14.1-v15.0/changelog-detailed.html) ([JSON](/docs/changelogs/v14.1-v15.0/changelog.json))
v15.0 - v15.1 [Details](/docs/changelogs/v15.0-v15.1/changelog-detailed.html) ([JSON](/docs/changelogs/v15.0-v15.1/changelog.json)) | The April 2024 (v15) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS. diff --git a/pyproject.toml b/pyproject.toml index bd6f48b2f82..4c32bdcc4d5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ profile = "black" [tool.towncrier] name = "ATT&CK website" - version = "4.1.2" + version = "4.1.3" filename = "CHANGELOG.md" issue_format = "[#{issue}](https://github.com/mitre-attack/attack-website/issues/{issue})" template = ".towncrier.template.md" diff --git a/requirements.txt b/requirements.txt index 532d427e01e..555f27c8564 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ bleach==6.0.0 colorama==0.4.6 future==0.18.3 loguru==0.6.0 -mitreattack-python==3.0.4 +mitreattack-python==3.0.6 pelican==4.8.0 pyScss==1.4.0 python-dotenv==1.0.0