From 2e8c2f40d6f8b01eea383268f7e62ed8049cc5ba Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Wed, 26 Jan 2022 00:11:01 +0100 Subject: [PATCH] linter: update linter-data.json with mitre att&ck references only --- scripts/linter-data.json | 729 --------------------------------------- 1 file changed, 729 deletions(-) diff --git a/scripts/linter-data.json b/scripts/linter-data.json index 5a06e519..b2b6e797 100644 --- a/scripts/linter-data.json +++ b/scripts/linter-data.json @@ -759,734 +759,5 @@ "T1529": "System Shutdown/Reboot", "T1565.002": "Data Manipulation::Transmitted Data Manipulation" } - }, - "mbc": { - "Anti-Behavioral Analysis": { - "B0007.009": "Sandbox Detection::Timing/Uptime Check", - "B0001.001": "Debugger Detection::API Hook Detection", - "B0007.005": "Sandbox Detection::Product Key/ID Testing", - "B0002.005": "Debugger Evasion::Code Integrity Check", - "B0001.035": "Debugger Detection::Process Environment Block BeingDebugged", - "B0007.004": "Sandbox Detection::Injected DLL Testing", - "B0005.003": "Emulator Evasion::Unusual/Undocumented API Calls", - "B0001.024": "Debugger Detection::SetHandleInformation", - "B0009.016": "Virtual Machine Detection::Modern Specs Check - USB drive", - "B0009.028": "Virtual Machine Detection::Unique Hardware/Firmware Check - MAC Address", - "F0003.003": "Hooking::Hook procedures", - "B0009.014": "Virtual Machine Detection::Modern Specs Check - Total physical memory", - "B0002.010": "Debugger Evasion::Import Obfuscation", - "F0001.010": "Software Packing::VMProtect", - "E1480.m07": "Execution Guardrails::Runs as Service", - "B0001.003": "Debugger Detection::CloseHandle", - "B0009.025": "Virtual Machine Detection::Unique Hardware/Firmware Check - I/O Communication Port", - "B0004": "Emulator Detection", - "B0009.006": "Virtual Machine Detection::Check Running Services", - "B0002.013": "Debugger Evasion::Malloc Use", - "B0009.015": "Virtual Machine Detection::Modern Specs Check - Drive size", - "B0001.017": "Debugger Detection::Page Exception Breakpoint Detection", - "B0009.004": "Virtual Machine Detection::Check Processes", - "B0001.012": "Debugger Detection::NtQueryInformationProcess", - "B0002.029": "Debugger Evasion::Thread Timeout", - "B0036.001": "Capture Evasion::Memory-only Payload", - "B0036": "Capture Evasion", - "B0005.004": "Emulator Evasion::Extra Loops/Time Locks", - "B0009.009": "Virtual Machine Detection::Check Windows", - "B0007": "Sandbox Detection", - "B0009.037": "Virtual Machine Detection::Instruction Testing - VMCPUID", - "B0006.009": "Memory Dump Evasion::Flow Opcode Obstruction", - "B0002.001": "Debugger Evasion::Block Interrupts", - "B0006.002": "Memory Dump Evasion::Erase the PE header", - "B0009.034": "Virtual Machine Detection::Instruction Testing - CPUID", - "B0003": "Dynamic Analysis Evasion", - "E1480.m06": "Execution Guardrails::Token Check", - "B0007.001": "Sandbox Detection::Check Clipboard Data", - "B0001.037": "Debugger Detection::Process Environment Block IsDebugged", - "B0006.001": "Memory Dump Evasion::Code Encryption in Memory", - "E1480.m05": "Execution Guardrails::Secure Triggers", - "F0001.011": "Software Packing::Themida", - "B0001.019": "Debugger Detection::Process Environment Block", - "B0002.025": "Debugger Evasion::Self-Unmapping", - "B0002.018": "Debugger Evasion::Pipeline Misdirection", - "B0002.030": "Debugger Evasion::Use Interrupts", - "B0002.023": "Debugger Evasion::Section Misalignment", - "F0001.002": "Software Packing::Standard Compression", - "B0005.001": "Emulator Evasion::Different Opcode Sets", - "B0009.003": "Virtual Machine Detection::Check Named System Objects", - "B0009.002": "Virtual Machine Detection::Check Memory Artifacts", - "B0003.003": "Dynamic Analysis Evasion::Delayed Execution", - "B0003.010": "Dynamic Analysis Evasion::Restart", - "B0002.002": "Debugger Evasion::Break Point Clearing", - "B0008": "Executable Code Virtualization", - "B0001.027": "Debugger Detection::TIB Aware", - "F0001.007": "Software Packing::Custom Compression of Data", - "B0001.004": "Debugger Detection::Debugger Artifacts", - "B0009.031": "Virtual Machine Detection::Instruction Testing - SGDT/SLDT (no pill)", - "B0036.002": "Capture Evasion::Encrypted Payloads", - "E1480.m03": "Execution Guardrails::GetVolumeInformation", - "B0001.028": "Debugger Detection::Timing/Delay Check", - "F0001.004": "Software Packing::Standard Compression of Data", - "B0001.005": "Debugger Detection::Hardware Breakpoints", - "F0001.003": "Software Packing::Standard Compression of Code", - "B0002.007": "Debugger Evasion::Get Base Indirectly", - "B0009": "Virtual Machine Detection", - "B0005": "Emulator Evasion", - "B0003.002": "Dynamic Analysis Evasion::Data Flood", - "B0001.023": "Debugger Detection::SeDebugPrivilege", - "B0002.016": "Debugger Evasion::Obfuscate Library Use", - "B0007.006": "Sandbox Detection::Screen Resolution Testing", - "F0003.005": "Hooking::Inline Hooking", - "B0009.036": "Virtual Machine Detection::Instruction Testing - RDTSC", - "B0006.004": "Memory Dump Evasion::SizeOfImage", - "B0003.005": "Dynamic Analysis Evasion::Drop Code", - "B0006.008": "Memory Dump Evasion::Feed Misinformation", - "B0009.010": "Virtual Machine Detection::Guest Process Testing", - "B0002.020": "Debugger Evasion::Relocate API Code", - "B0006": "Memory Dump Evasion", - "B0001.016": "Debugger Detection::OutputDebugString", - "B0002.011": "Debugger Evasion::Inlining", - "B0009.012": "Virtual Machine Detection::Human User Check", - "B0002.012": "Debugger Evasion::Loop Escapes", - "F0001.013": "Software Packing::ASPack", - "B0009.013": "Virtual Machine Detection::Modern Specs Check", - "F0001.008": "Software Packing::UPX", - "B0001.029": "Debugger Detection::TLS Callbacks", - "F0001.012": "Software Packing::Armadillo", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "B0001.014": "Debugger Detection::NtSetInformationThread", - "B0001.025": "Debugger Detection::Software Breakpoints", - "B0003.009": "Dynamic Analysis Evasion::Illusion", - "B0008.001": "Executable Code Virtualization::Multiple VMs", - "B0001.011": "Debugger Detection::Monitoring Thread", - "B0002.022": "Debugger Evasion::RtlAdjustPrivilege", - "B0001.013": "Debugger Detection::NtQueryObject", - "B0009.018": "Virtual Machine Detection::Modern Specs Check - Processor count", - "E1480": "Execution Guardrails", - "B0001": "Debugger Detection", - "B0002.015": "Debugger Evasion::Nanomites", - "B0002.024": "Debugger Evasion::Self-Debugging", - "B0004.002": "Emulator Detection::Check for WINE Version", - "B0001.015": "Debugger Detection::NtYieldExecution/SwitchToThread", - "B0009.005": "Virtual Machine Detection::Check Registry Keys", - "B0001.006": "Debugger Detection::Interrupt 0x2d", - "B0009.011": "Virtual Machine Detection::HTML5 Performance Object Check", - "B0001.018": "Debugger Detection::Parent Process", - "B0009.008": "Virtual Machine Detection::Check Virtual Devices", - "B0009.022": "Virtual Machine Detection::Check Windows - Title bars", - "B0009.023": "Virtual Machine Detection::Unique Hardware/Firmware Check", - "B0004.001": "Emulator Detection::Check for Emulator-related Files", - "B0001.036": "Debugger Detection::Process Environment Block NtGlobalFlag", - "B0009.026": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Name", - "B0007.002": "Sandbox Detection::Check Files", - "F0001.006": "Software Packing::Custom Compression of Code", - "B0003.007": "Dynamic Analysis Evasion::Hook File System", - "B0009.032": "Virtual Machine Detection::Instruction Testing - SMSW", - "F0003.002": "Hooking::Hook memory mapping APIs", - "B0009.007": "Virtual Machine Detection::Check Software", - "B0001.026": "Debugger Detection::Stack Canary", - "B0009.020": "Virtual Machine Detection::Check Windows - Window size", - "E1480.m04": "Execution Guardrails::Host Fingerprint Check", - "B0006.005": "Memory Dump Evasion::Tampering", - "B0001.034": "Debugger Detection::Anti-debugging Instructions", - "B0007.008": "Sandbox Detection::Timing/Date Check", - "B0001.030": "Debugger Detection::UnhandledExceptionFilter", - "B0002.026": "Debugger Evasion::Static Linking", - "B0001.002": "Debugger Detection::CheckRemoteDebuggerPresent", - "B0002.004": "Debugger Evasion::Change SizeOfImage", - "B0009.017": "Virtual Machine Detection::Modern Specs Check - Printer", - "B0002.006": "Debugger Evasion::Exception Misdirection", - "B0009.021": "Virtual Machine Detection::Check Windows - Unique windows", - "B0003.008": "Dynamic Analysis Evasion::Hook Interrupt", - "F0001.001": "Software Packing::Nested Packing", - "B0001.007": "Debugger Detection::Interrupt 1", - "B0001.032": "Debugger Detection::Timing/Delay Check GetTickCount", - "B0001.031": "Debugger Detection::WudfIsAnyDebuggerPresent", - "B0009.038": "Virtual Machine Detection::Instruction Testing - VPCEXT", - "B0002": "Debugger Evasion", - "B0009.024": "Virtual Machine Detection::Unique Hardware/Firmware Check - BIOS", - "B0003.006": "Dynamic Analysis Evasion::Encode File", - "B0006.007": "Memory Dump Evasion::On-the-Fly APIs", - "B0009.019": "Virtual Machine Detection::Modern Specs Check - Keyboard layout", - "B0009.033": "Virtual Machine Detection::Instruction Testing - STR", - "E1480.m01": "Execution Guardrails::Deposited Keys", - "F0003": "Hooking", - "E1480.m02": "Execution Guardrails::Environmental Keys", - "B0009.001": "Virtual Machine Detection::Check File and Directory Artifacts", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "B0002.014": "Debugger Evasion::Modify PE Header", - "B0003.001": "Dynamic Analysis Evasion::Alternative ntdll.dll", - "B0002.003": "Debugger Evasion::Byte Stealing", - "B0009.035": "Virtual Machine Detection::Instruction Testing - IN", - "B0009.030": "Virtual Machine Detection::Instruction Testing - SIDT (red pill)", - "B0001.021": "Debugger Detection::ProcessHeap", - "B0007.007": "Sandbox Detection::Self Check", - "B0002.027": "Debugger Evasion::Stolen API Code", - "B0004.003": "Emulator Detection::Check Emulator-related Registry Keys", - "B0009.029": "Virtual Machine Detection::Instruction Testing", - "B0002.017": "Debugger Evasion::Parallel Threads", - "B0005.002": "Emulator Evasion::Undocumented Opcodes", - "F0001.005": "Software Packing::Custom Compression", - "B0002.021": "Debugger Evasion::Return Obfuscation", - "B0009.027": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Location", - "B0006.003": "Memory Dump Evasion::Hide virtual memory", - "B0001.009": "Debugger Detection::Memory Breakpoints", - "B0001.010": "Debugger Detection::Memory Write Watching", - "B0036.003": "Capture Evasion::Multiple Stages of Loaders", - "B0003.004": "Dynamic Analysis Evasion::Demo Mode", - "B0004.004": "Emulator Detection::Failed Network Connections", - "B0001.008": "Debugger Detection::IsDebuggerPresent", - "B0001.033": "Debugger Detection::Timing/Delay Check QueryPerformanceCounter", - "F0001.009": "Software Packing::Confuser", - "B0002.019": "Debugger Evasion::Pre-Debug", - "F0001": "Software Packing", - "B0001.020": "Debugger Detection::Process Jobs" - }, - "Anti-Static Analysis": { - "B0032.004": "Executable Code Obfuscation::Fake Code Insertion", - "B0032.009": "Executable Code Obfuscation::Entry Point Obfuscation", - "B0032.014": "Executable Code Obfuscation::Interleaving Code", - "F0001.010": "Software Packing::VMProtect", - "B0032.001": "Executable Code Obfuscation::API Hashing", - "B0032.017": "Executable Code Obfuscation::Stack Strings", - "B0032.006": "Executable Code Obfuscation::Thunk Code Insertion", - "B0032.002": "Executable Code Obfuscation::Code Insertion", - "B0034.002": "Executable Code Optimization::Minification", - "F0001.011": "Software Packing::Themida", - "B0032.010": "Executable Code Obfuscation::Guard Pages", - "B0032.013": "Executable Code Obfuscation::Instruction Overlap", - "B0032.015": "Executable Code Obfuscation::Merged Code Sections", - "F0001.002": "Software Packing::Standard Compression", - "B0032.003": "Executable Code Obfuscation::Dead Code Insertion", - "B0008": "Executable Code Virtualization", - "F0001.007": "Software Packing::Custom Compression of Data", - "B0012": "Disassembler Evasion", - "B0010.002": "Call Graph Generation Evasion::Invoke NTDLL System Calls via Encoded Table", - "B0012.002": "Disassembler Evasion::Conditional Misdirection", - "F0001.004": "Software Packing::Standard Compression of Data", - "F0001.003": "Software Packing::Standard Compression of Code", - "B0032.007": "Executable Code Obfuscation::Junk Code Insertion", - "B0032.008": "Executable Code Obfuscation::Data Value Obfuscation", - "B0012.003": "Disassembler Evasion::Value Dependent Jumps", - "B0012.005": "Disassembler Evasion::VBA Stomping", - "B0012.001": "Disassembler Evasion::Argument Obfuscation", - "E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm", - "F0001.013": "Software Packing::ASPack", - "F0001.008": "Software Packing::UPX", - "F0001.012": "Software Packing::Armadillo", - "B0008.001": "Executable Code Virtualization::Multiple VMs", - "B0032": "Executable Code Obfuscation", - "E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm", - "B0032.012": "Executable Code Obfuscation::Import Compression", - "F0001.006": "Software Packing::Custom Compression of Code", - "E1027": "Obfuscated Files or Information", - "B0032.016": "Executable Code Obfuscation::Structured Exception Handling (SEH)", - "B0032.005": "Executable Code Obfuscation::Jump Insertion", - "E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm", - "B0010.001": "Call Graph Generation Evasion::Two-layer Function Return", - "F0001.001": "Software Packing::Nested Packing", - "B0034": "Executable Code Optimization", - "B0010": "Call Graph Generation Evasion", - "B0032.011": "Executable Code Obfuscation::Import Address Table Obfuscation", - "B0034.001": "Executable Code Optimization::Jump/Call Absolute Address", - "B0012.004": "Disassembler Evasion::Variable Recomposition", - "E1027.m06": "Obfuscated Files or Information::Encryption of Code", - "F0001.005": "Software Packing::Custom Compression", - "B0032.018": "Executable Code Obfuscation::Symbol Obfuscation", - "E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm", - "E1027.m07": "Obfuscated Files or Information::Encryption of Data", - "F0001.009": "Software Packing::Confuser", - "F0001": "Software Packing" - }, - "Collection": { - "F0003.003": "Hooking::Hook procedures", - "E1056": "Input Capture", - "F0002.001": "Keylogging::Application Hook", - "E1056.m01": "Input Capture::Mouse Events", - "B0028.002": "Cryptocurrency::Ethereum", - "F0003.005": "Hooking::Inline Hooking", - "F0002": "Keylogging", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "B0028": "Cryptocurrency", - "F0002.002": "Keylogging::Polling", - "F0003.002": "Hooking::Hook memory mapping APIs", - "F0003": "Hooking", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "E1113.m01": "Screen Capture::WinAPI", - "E1113": "Screen Capture", - "B0028.001": "Cryptocurrency::Bitcoin", - "B0028.003": "Cryptocurrency::Zcash" - }, - "Command and Control": { - "B0030.001": "C2 Communication::Send Data", - "B0030.010": "C2 Communication::Request Email Address List", - "B0030": "C2 Communication", - "B0030.005": "C2 Communication::Check for Payload", - "B0030.008": "C2 Communication::Request Command", - "B0031": "Domain Name Generation", - "B0030.002": "C2 Communication::Receive Data", - "B0030.007": "C2 Communication::Send Heartbeat", - "E1105": "Remote File Copy", - "B0030.009": "C2 Communication::Request Email Template", - "B0030.004": "C2 Communication::Client to Server File Transfer", - "B0030.003": "C2 Communication::Server to Client File Transfer", - "B0030.006": "C2 Communication::Send System Information" - }, - "Credential Access": { - "F0003.003": "Hooking::Hook procedures", - "E1056": "Input Capture", - "F0002.001": "Keylogging::Application Hook", - "E1056.m01": "Input Capture::Mouse Events", - "B0028.002": "Cryptocurrency::Ethereum", - "F0003.005": "Hooking::Inline Hooking", - "F0002": "Keylogging", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "B0028": "Cryptocurrency", - "F0002.002": "Keylogging::Polling", - "F0003.002": "Hooking::Hook memory mapping APIs", - "F0003": "Hooking", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "E1113.m01": "Screen Capture::WinAPI", - "E1113": "Screen Capture", - "B0028.001": "Cryptocurrency::Bitcoin", - "B0028.003": "Cryptocurrency::Zcash" - }, - "Defense Evasion": { - "F0009.001": "Component Firmware::Router Firmware", - "E1014.m05": "Rootkit::Hide Userspace Libraries", - "F0003.003": "Hooking::Hook procedures", - "F0004.007": "Disable or Evade Security Tools::Bypass Windows File Protection", - "F0001.010": "Software Packing::VMProtect", - "E1480.m07": "Execution Guardrails::Runs as Service", - "F0005.002": "Hidden Files and Directories::Location", - "E1014.m04": "Rootkit::Hide Threads", - "E1014.m06": "Rootkit::Prevent API Unhooking", - "F0004.008": "Disable or Evade Security Tools::Heavens Gate", - "B0040.001": "Covert Location::Hide Data in Registry", - "F0005": "Hidden Files and Directories", - "E1055": "Process Injection", - "E1480.m06": "Execution Guardrails::Token Check", - "B0029.001": "Polymorphic Code::Packer Stub", - "E1480.m05": "Execution Guardrails::Secure Triggers", - "F0001.011": "Software Packing::Themida", - "F0007.001": "Self Deletion::COMSPEC Environment Variable", - "F0001.002": "Software Packing::Standard Compression", - "E1014.m11": "Rootkit::Prevent Memory Access", - "F0013": "Bootkit", - "F0004.004": "Disable or Evade Security Tools::AMSI Bypass", - "F0001.007": "Software Packing::Custom Compression of Data", - "B0029.002": "Polymorphic Code::Call Indirections", - "E1480.m03": "Execution Guardrails::GetVolumeInformation", - "F0001.004": "Software Packing::Standard Compression of Data", - "F0001.003": "Software Packing::Standard Compression of Code", - "E1478": "Install Insecure or Malicious Configuration", - "E1014.m09": "Rootkit::Prevent File Access", - "B0040.002": "Covert Location::Steganography", - "F0009": "Component Firmware", - "B0027.002": "Alternative Installation Location::Registry Install", - "F0003.005": "Hooking::Inline Hooking", - "E1014.m07": "Rootkit::Prevent Registry Access", - "B0037": "Bypass Data Execution Prevention", - "B0029.003": "Polymorphic Code::Code Reordering", - "E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm", - "F0007": "Self Deletion", - "B0027": "Alternative Installation Location", - "F0001.013": "Software Packing::ASPack", - "F0001.008": "Software Packing::UPX", - "F0001.012": "Software Packing::Armadillo", - "E1014.m08": "Rootkit::Prevent Registry Deletion", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm", - "E1480": "Execution Guardrails", - "F0004.002": "Disable or Evade Security Tools::Disable System File Overwrite Protection", - "F0005.004": "Hidden Files and Directories::Timestamp", - "E1014.m10": "Rootkit::Prevent File Deletion", - "F0005.001": "Hidden Files and Directories::Extension", - "F0001.006": "Software Packing::Custom Compression of Code", - "E1014.m02": "Rootkit::Hide Services", - "F0003.002": "Hooking::Hook memory mapping APIs", - "E1055.m02": "Process Injection::Injection and Persistence via Registry Modification", - "E1480.m04": "Execution Guardrails::Host Fingerprint Check", - "F0004.001": "Disable or Evade Security Tools::Disable Kernel Patch Protection", - "B0027.001": "Alternative Installation Location::Fileless Malware", - "F0004.006": "Disable or Evade Security Tools::Force Lazy Writing", - "E1055.m03": "Process Injection::Injection using Shims", - "E1027": "Obfuscated Files or Information", - "E1014.m12": "Rootkit::Prevent Native API Hooking", - "B0037.001": "Bypass Data Execution Prevention::ROP Chains", - "E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm", - "F0001.001": "Software Packing::Nested Packing", - "E1014": "Rootkit", - "F0004.005": "Disable or Evade Security Tools::Modify Policy", - "E1014.m01": "Rootkit::Hide Kernel Modules", - "E1480.m01": "Execution Guardrails::Deposited Keys", - "E1112": "Modify Registry", - "F0003": "Hooking", - "E1480.m02": "Execution Guardrails::Environmental Keys", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "F0004.003": "Disable or Evade Security Tools::Unhook APIs", - "F0005.003": "Hidden Files and Directories::Attribute", - "E1027.m06": "Obfuscated Files or Information::Encryption of Code", - "F0006": "Indicator Blocking", - "F0001.005": "Software Packing::Custom Compression", - "E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx", - "B0040": "Covert Location", - "E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm", - "F0006.001": "Indicator Blocking::Remove SMS Warning Messages", - "B0029": "Polymorphic Code", - "F0004": "Disable or Evade Security Tools", - "E1027.m07": "Obfuscated Files or Information::Encryption of Data", - "F0001.009": "Software Packing::Confuser", - "F0001": "Software Packing" - }, - "Discovery": { - "E1010": "Application Window Discovery", - "B0043": "Taskbar Discovery", - "B0013.007": "Analysis Tool Discovery::Process detection - Sandboxes", - "B0013.001": "Analysis Tool Discovery::Process detection", - "B0013.009": "Analysis Tool Discovery::Known Window", - "B0013.003": "Analysis Tool Discovery::Process detection - SysInternals Suite Tools", - "B0013.006": "Analysis Tool Discovery::Process detection - PE Utilities", - "B0013.005": "Analysis Tool Discovery::Process detection - Process Utilities", - "B0013": "Analysis Tool Discovery", - "E1083.m01": "File and Directory Discovery::Log File", - "B0013.002": "Analysis Tool Discovery::Process detection - Debuggers", - "B0013.004": "Analysis Tool Discovery::Process detection - PCAP Utilities", - "B0014": "SMTP Connection Discovery", - "E1010.m01": "Application Window Discovery::Window Text", - "E1082": "System Information Discovery", - "E1083": "File and Directory Discovery", - "B0013.008": "Analysis Tool Discovery::Known File Location", - "B0038": "Self Discovery", - "E1082.m01": "System Information Discovery::Generate Windows Exception" - }, - "Execution": { - "E1203.m05": "Exploitation for Client Execution::Sysinternals", - "E1203.m06": "Exploitation for Client Execution::Windows Utilities", - "B0020": "Send Email", - "B0011.007": "Remote Commands::Upload File", - "E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols (RDP)", - "B0011.005": "Remote Commands::Sleep", - "B0021": "Send Poisoned Text Message", - "E1203.m02": "Exploitation for Client Execution::Java-based Web Servers", - "B0024": "Prevent Concurrent Execution", - "B0011.006": "Remote Commands::Uninstall", - "B0011.003": "Remote Commands::Execute", - "E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers", - "B0011.004": "Remote Commands::Shutdown", - "B0011": "Remote Commands", - "E1203": "Exploitation for Client Execution", - "E1204": "User Interaction", - "E1059": "Command and Scripting Interpreter", - "B0025": "Conditional Execution", - "B0011.002": "Remote Commands::Download File", - "B0023": "Install Additional Program", - "E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products", - "B0025.001": "Conditional Execution::Suicide Exit" - }, - "Exfiltration": { - "E1560": "Archive Collected Data", - "E1560.m04": "Archive Collected Data::Encoding - Custom Encoding", - "E1020": "Automated Exfiltration", - "E1560.m06": "Archive Collected Data::Encryption - Custom Encryption", - "E1560.m05": "Archive Collected Data::Encryption - Standard Encryption", - "E1020.m01": "Automated Exfiltration::Exfiltrate via File Hosting Service", - "E1560.m03": "Archive Collected Data::Encoding - Standard Encoding", - "E1560.m02": "Archive Collected Data::Encryption", - "E1560.m01": "Archive Collected Data::Encoding" - }, - "Impact": { - "F0009.001": "Component Firmware::Router Firmware", - "B0017": "Destroy Hardware", - "E1203.m05": "Exploitation for Client Execution::Sysinternals", - "E1203.m06": "Exploitation for Client Execution::Windows Utilities", - "E1190": "Exploit Kit Behavior", - "F0014": "Disk Content Wipe", - "E1485": "Data Destruction", - "E1486": "Data Encrypted for Impact", - "F0014.001": "Disk Content Wipe::Delete Shadow Drive", - "E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols (RDP)", - "B0019": "Manipulate Network Traffic", - "E1203.m02": "Exploitation for Client Execution::Java-based Web Servers", - "E1485.m03": "Data Destruction::Delete Application/Software", - "F0009": "Component Firmware", - "E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers", - "E1472.m02": "Generate Fraudulent Advertising Revenue::Advertisement Replacement Fraud", - "E1203": "Exploitation for Client Execution", - "B0039": "Spamming", - "B0042": "Modify Hardware", - "B0018.002": "Resource Hijacking::Cryptojacking", - "B0042.003": "Modify Hardware::Printer", - "B0022.001": "Remote Access::Reverse Shell", - "B0018.001": "Resource Hijacking::Password Cracking", - "E1485.m02": "Data Destruction::Empty Recycle Bin", - "B0033": "Denial of Service", - "B0016": "Compromise Data Integrity", - "E1472.m01": "Generate Fraudulent Advertising Revenue::Click Hijacking", - "B0022": "Remote Access", - "B0042.001": "Modify Hardware::CDROM", - "B0042.002": "Modify Hardware::Mouse", - "E1510": "Clipboard Modification", - "E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products", - "B0018": "Resource Hijacking", - "E1472": "Generate Fraudulent Advertising Revenue" - }, - "Lateral Movement": { - "E1195.m02": "Supply Chain Compromise::Exploit Private APIs", - "B0020": "Send Email", - "E1195": "Supply Chain Compromise", - "B0026": "Malicious Network Driver", - "B0021": "Send Poisoned Text Message", - "E1105": "Remote File Copy", - "E1195.m01": "Supply Chain Compromise::Abuse Enterprise Certificates" - }, - "Persistence": { - "F0009.001": "Component Firmware::Router Firmware", - "F0003.003": "Hooking::Hook procedures", - "F0005.002": "Hidden Files and Directories::Location", - "F0005": "Hidden Files and Directories", - "F0012": "Registry Run Keys / Startup Folder", - "B0026": "Malicious Network Driver", - "F0013": "Bootkit", - "F0011": "Modify Existing Service", - "E1478": "Install Insecure or Malicious Configuration", - "F0009": "Component Firmware", - "F0003.005": "Hooking::Inline Hooking", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "E1105": "Remote File Copy", - "B0022.001": "Remote Access::Reverse Shell", - "F0005.004": "Hidden Files and Directories::Timestamp", - "F0005.001": "Hidden Files and Directories::Extension", - "B0035": "Shutdown Event", - "F0003.002": "Hooking::Hook memory mapping APIs", - "F0010.001": "Kernel Modules and Extensions::Device Driver", - "B0022": "Remote Access", - "E1112": "Modify Registry", - "F0010": "Kernel Modules and Extensions", - "F0003": "Hooking", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "F0005.003": "Hidden Files and Directories::Attribute" - }, - "Privilege Escalation": { - "F0003.003": "Hooking::Hook procedures", - "E1055": "Process Injection", - "F0011": "Modify Existing Service", - "F0003.005": "Hooking::Inline Hooking", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "F0003.002": "Hooking::Hook memory mapping APIs", - "E1055.m02": "Process Injection::Injection and Persistence via Registry Modification", - "E1055.m03": "Process Injection::Injection using Shims", - "F0010.001": "Kernel Modules and Extensions::Device Driver", - "F0010": "Kernel Modules and Extensions", - "F0003": "Hooking", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx" - }, - "Communication": { - "C0005.002": "WinINet::InternetOpen", - "C0012.002": "SMTP Communication::Request", - "C0011.005": "DNS Communication::Resolve Free Hosting Domain", - "C0003.004": "Interprocess Communication::Write Pipe", - "C0002.012": "HTTP Communication::Create Request", - "C0002.013": "HTTP Communication::Set Header", - "C0002.001": "HTTP Communication::Server", - "C0002.002": "HTTP Communication::Client", - "C0014.001": "ICMP Communication::Generate Traffic", - "C0001.017": "Socket Communication::Receive UDP Data", - "C0002.015": "HTTP Communication::Receive Request", - "C0011": "DNS Communication", - "C0002.008": "HTTP Communication::WinHTTP", - "C0002.018": "HTTP Communication::Start Server", - "C0002.011": "HTTP Communication::Extract Body", - "C0012.001": "SMTP Communication::Server Connect", - "C0001.008": "Socket Communication::TCP Client", - "C0002.004": "HTTP Communication::Open URL", - "C0002.006": "HTTP Communication::Download URL", - "C0012": "SMTP Communication", - "C0011.002": "DNS Communication::Server Connect", - "C0001.014": "Socket Communication::Send TCP Data", - "C0002.009": "HTTP Communication::Connect to Server", - "C0005.004": "WinINet::InternetReadFile", - "C0002.003": "HTTP Communication::Send Request", - "C0002.005": "HTTP Communication::Send Data", - "C0004": "FTP Communication", - "C0001.012": "Socket Communication::Get Socket Status", - "C0002.017": "HTTP Communication::Get Response", - "C0001.011": "Socket Communication::Create TCP Socket", - "C0001": "Socket Communication", - "C0005": "WinINet", - "C0002.014": "HTTP Communication::Read Header", - "C0001.003": "Socket Communication::Create Socket", - "C0014.002": "ICMP Communication::Echo Request", - "C0002.016": "HTTP Communication::Send Response", - "C0001.005": "Socket Communication::Start TCP Server", - "C0005.001": "WinINet::InternetConnect", - "C0001.007": "Socket Communication::Send Data", - "C0001.009": "Socket Communication::Initialize Winsock Library", - "C0001.013": "Socket Communication::UDP Client", - "C0001.010": "Socket Communication::Create UDP Socket", - "C0001.015": "Socket Communication::Send UDP Data", - "C0002.007": "HTTP Communication::WinINet", - "C0005.003": "WinINet::InternetOpenURL", - "C0004.001": "FTP Communication::Send File", - "C0003.002": "Interprocess Communication::Connect Pipe", - "C0001.002": "Socket Communication::TCP Server", - "C0001.016": "Socket Communication::Receive TCP Data", - "C0001.006": "Socket Communication::Receive Data", - "C0001.004": "Socket Communication::Connect Socket", - "C0003.003": "Interprocess Communication::Read Pipe", - "C0002": "HTTP Communication", - "C0014": "ICMP Communication", - "C0011.001": "DNS Communication::Resolve", - "C0003": "Interprocess Communication", - "C0002.010": "HTTP Communication::IWebBrowser", - "C0011.004": "DNS Communication::Resolve TLD", - "C0001.001": "Socket Communication::Set Socket Config", - "C0005.005": "WinINet::InternetWriteFile", - "C0011.003": "DNS Communication::DDNS Domain Connect", - "C0003.001": "Interprocess Communication::Create Pipe", - "C0004.002": "FTP Communication::WinINet" - }, - "Data": { - "C0030.005": "Non-Cryptographic Hash::FNV", - "C0026.001": "Encode Data::Base64", - "C0053.002": "Decode Data::XOR", - "C0020": "Use Constant", - "C0030.003": "Non-Cryptographic Hash::Fast-Hash", - "C0024.002": "Compress Data::IEncodingFilterFactory", - "C0025.002": "Decompress Data::IEncodingFilterFactory", - "C0032.004": "Checksum::Verhoeff", - "C0032.005": "Checksum::Adler", - "C0025.001": "Decompress Data::QuickLZ", - "C0060": "Compression Library", - "C0032": "Checksum", - "C0024.001": "Compress Data::QuickLZ", - "C0026.002": "Encode Data::XOR", - "C0030": "Non-Cryptographic Hash", - "C0032.001": "Checksum::CRC32", - "C0053": "Decode Data", - "C0053.001": "Decode Data::Base64", - "C0019": "Check String", - "C0030.004": "Non-Cryptographic Hash::dhash", - "C0026": "Encode Data", - "C0032.003": "Checksum::BSD", - "C0030.002": "Non-Cryptographic Hash::pHash", - "C0030.001": "Non-Cryptographic Hash::MurmurHash", - "C0032.002": "Checksum::Luhn", - "C0058": "Modulo", - "C0024": "Compress Data", - "C0025": "Decompress Data" - }, - "Hardware": { - "C0057": "Simulate Hardware", - "C0057.001": "Simulate Hardware::Ctrl-Alt-Del", - "C0023": "Load Driver", - "C0037": "Install Driver", - "C0057.002": "Simulate Hardware::Mouse Click" - }, - "File System": { - "C0016.001": "Create File::Create Office Document", - "C0052": "Writes File", - "C0049": "Get File Attributes", - "C0046": "Create Directory", - "C0015": "Alter File Extension", - "C0050": "Set File Attributes", - "C0016": "Create File", - "C0056": "Read Virtual Disk", - "C0051": "Read File", - "C0015.001": "Alter File Extension::Append Extension", - "C0045": "Copy File", - "C0016.002": "Create File::Create Ransomware File", - "C0047": "Delete File", - "C0048": "Delete Directory" - }, - "Cryptography": { - "C0027.002": "Encrypt Data::Blowfish", - "C0027.014": "Encrypt Data::Block Cipher", - "C0031.006": "Decrypt Data::HC-128", - "C0031": "Decrypt Data", - "C0029": "Cryptographic Hash", - "C0027.010": "Encrypt Data::RC6", - "C0027.001": "Encrypt Data::AES", - "C0021": "Generate Pseudo-random Sequence", - "C0027": "Encrypt Data", - "C0031.008": "Decrypt Data::RC4", - "C0021.001": "Generate Pseudo-random Sequence::GetTickCount", - "C0031.001": "Decrypt Data::AES", - "C0028.001": "Encryption Key::Import Public Key", - "C0027.003": "Encrypt Data::Camellia", - "C0029.002": "Cryptographic Hash::SHA1", - "C0028.002": "Encryption Key::RC4 KSA", - "C0027.006": "Encrypt Data::HC-128", - "C0031.002": "Decrypt Data::Block Cipher", - "C0027.008": "Encrypt Data::Sosemanuk", - "C0028": "Encryption Key", - "C0029.004": "Cryptographic Hash::SHA224", - "C0031.013": "Decrypt Data::Stream Cipher", - "C0031.011": "Decrypt Data::Skipjack", - "C0021.004": "Generate Pseudo-random Sequence::RC4 PRGA", - "C0029.001": "Cryptographic Hash::MD5", - "C0029.003": "Cryptographic Hash::SHA256", - "C0031.014": "Decrypt Data::Twofish", - "C0029.006": "Cryptographic Hash::Snefru", - "C0031.003": "Decrypt Data::Blowfish", - "C0027.011": "Encrypt Data::RSA", - "C0031.005": "Decrypt Data::3DES", - "C0031.004": "Decrypt Data::Camellia", - "C0027.012": "Encrypt Data::Stream Cipher", - "C0027.007": "Encrypt Data::HC-256", - "C0027.004": "Encrypt Data::3DES", - "C0021.005": "Generate Pseudo-random Sequence::Mersenne Twister", - "C0059": "Crypto Library", - "C0029.005": "Cryptographic Hash::Tiger", - "C0031.010": "Decrypt Data::RSA", - "C0031.012": "Decrypt Data::Sosemanuk", - "C0021.003": "Generate Pseudo-random Sequence::Use API", - "C0027.013": "Encrypt Data::Skipjack", - "C0031.007": "Decrypt Data::HC-256", - "C0027.005": "Encrypt Data::Twofish", - "C0021.002": "Generate Pseudo-random Sequence::rand", - "C0027.009": "Encrypt Data::RC4", - "C0031.009": "Decrypt Data::RC6" - }, - "Process": { - "C0018": "Terminate Process", - "C0055": "Suspend Thread", - "C0017": "Create Process", - "C0017.002": "Create Process::Create Process via WMI", - "C0017.001": "Create Process::Create Process via Shellcode", - "C0038": "Create Thread", - "C0039": "Terminate Thread", - "C0043": "Check Mutex", - "C0041": "Set Thread Local Storage Value", - "C0022.001": "Synchronization::Create Mutex", - "C0017.003": "Create Process::Create Suspended Process", - "C0042": "Create Mutex", - "C0022": "Synchronization", - "C0054": "Resume Thread", - "C0040": "Allocate Thread Local Storage" - }, - "Memory": { - "C0010": "Overflow Buffer", - "C0008": "Change Memory Protection", - "C0006": "Heap Spray", - "C0007": "Allocate Memory", - "C0008.002": "Change Memory Protection::Executable Heap", - "C0008.001": "Change Memory Protection::Executable Stack", - "C0009": "Stack Pivot", - "C0044": "Free Memory" - }, - "Operating System": { - "C0036.006": "Registry::Query Registry Value", - "C0035": "Wallpaper", - "C0034.001": "Environment Variable::Set Variable", - "C0036.002": "Registry::Delete Registry Key", - "C0036.001": "Registry::Set Registry Key", - "C0036.007": "Registry::Delete Registry Value", - "C0036.003": "Registry::Open Registry Key", - "C0036.005": "Registry::Query Registry Key", - "C0033": "Console", - "C0034": "Environment Variable", - "C0036": "Registry", - "C0036.004": "Registry::Create Registry Key" - } } } \ No newline at end of file