From 4548303a0c17ee5e163298ede71514c64236c47d Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 28 Jun 2023 06:25:24 +0000 Subject: [PATCH 01/17] Sync capa rules submodule --- rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules b/rules index 08e0c617..58ac3d72 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 08e0c6178a9b7d2da56a2dcc964e9be3ce285a58 +Subproject commit 58ac3d724bb3ec74b2d0030827d474d97adbf364 From 7ab2a9b163a0f139fcad3b2b640f15fc69f877e4 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 29 Jun 2023 09:47:46 +0000 Subject: [PATCH 02/17] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index a37873c8..ccf0d07d 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit a37873c8a571b515f2baaf19bfcfaff5c7ef5342 +Subproject commit ccf0d07d273da47ff3e00a066e1b109c97920b99 From 2cd6b8bdaccb95174c4f8ba3eb708a5ac85cae2a Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 29 Jun 2023 10:01:38 +0000 Subject: [PATCH 03/17] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index ccf0d07d..9d6a155b 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit ccf0d07d273da47ff3e00a066e1b109c97920b99 +Subproject commit 9d6a155b77f62f967bd859dffd1d262cd52a0e54 From 06dd6f45c006506710659aa745179ab28dbb527c Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 3 Jul 2023 07:54:42 +0000 Subject: [PATCH 04/17] Sync capa rules submodule --- rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules b/rules index 58ac3d72..cb3bc24e 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 58ac3d724bb3ec74b2d0030827d474d97adbf364 +Subproject commit cb3bc24e7a33ffdecd74d85506da43eeb229b6c5 From 165fe87aca4d47b3a0645ec22456b7bbdc89221b Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 3 Jul 2023 14:04:39 +0000 Subject: [PATCH 05/17] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 9d6a155b..78b620ba 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 9d6a155b77f62f967bd859dffd1d262cd52a0e54 +Subproject commit 78b620ba30d92689f2d98d6ad0e8a6c12553b4ed From 301d8425c1922a574fd09fc3b3e17cf44989a8f9 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 3 Jul 2023 14:05:01 +0000 Subject: [PATCH 06/17] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 78b620ba..915f9d9d 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 78b620ba30d92689f2d98d6ad0e8a6c12553b4ed +Subproject commit 915f9d9d85d3104aeb4dd2fa1b7d9f023b3c43ed From 066e42e2711535f038f2c31802babf016d650ce9 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 3 Jul 2023 14:05:29 +0000 Subject: [PATCH 07/17] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 915f9d9d..effa7ae9 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 915f9d9d85d3104aeb4dd2fa1b7d9f023b3c43ed +Subproject commit effa7ae91ee9ab13c949064ff24ffa7f3379f1e7 From 30950f129ec9cedcebf81ed57994950bf9039131 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 4 Jul 2023 08:54:40 +0000 Subject: [PATCH 08/17] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index effa7ae9..451d187c 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit effa7ae91ee9ab13c949064ff24ffa7f3379f1e7 +Subproject commit 451d187c1784ee2cb6e5e6d7bc32bce5e1c04f89 From 446114acc3524ae9356c2a1ffd2475e2de5672d5 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 4 Jul 2023 08:54:56 +0000 Subject: [PATCH 09/17] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 451d187c..16e38a33 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 451d187c1784ee2cb6e5e6d7bc32bce5e1c04f89 +Subproject commit 16e38a33d183d0afb0ca0d0d1a311090e9c93be7 From 9a7ce0b04848348b10ef90329c904efa6e72cac4 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 4 Jul 2023 08:55:21 +0000 Subject: [PATCH 10/17] Sync capa-testfiles submodule --- tests/data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data b/tests/data index 16e38a33..76810b63 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit 16e38a33d183d0afb0ca0d0d1a311090e9c93be7 +Subproject commit 76810b63f8bdf829d9b36133e961ea6c14967e8a From 2d55976cb4711c327340d2a439a68691ed870aac Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:40:30 +0000 Subject: [PATCH 11/17] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88182091..150f5494 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (11) +### New Rules (12) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -22,6 +22,7 @@ - host-interaction/hardware/enumerate-devices-by-category @mr-tz - host-interaction/service/continue-service @mr-tz - host-interaction/service/pause-service @mr-tz +- persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index 15a5e096..fc744088 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-802-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-803-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index cb3bc24e..71450724 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit cb3bc24e7a33ffdecd74d85506da43eeb229b6c5 +Subproject commit 71450724d331a5bcc57bf3d8c5dd950f72c8c2cd From 1e258c3bc263ababd79263e7df543d016a329f4c Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:41:20 +0000 Subject: [PATCH 12/17] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 150f5494..d1c23988 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (12) +### New Rules (14) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -23,6 +23,7 @@ - host-interaction/service/continue-service @mr-tz - host-interaction/service/pause-service @mr-tz - persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com +- host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index fc744088..7d73da68 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-803-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-804-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index 71450724..b46b6b26 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 71450724d331a5bcc57bf3d8c5dd950f72c8c2cd +Subproject commit b46b6b2687b9395dfa4e66ff5001122b8fed510d From 0c3c5e42ffacc632cf6cecfe0d9be323e1e62aed Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:41:40 +0000 Subject: [PATCH 13/17] Sync capa rules submodule --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1c23988..5aa96cb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (14) +### New Rules (15) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -24,6 +24,7 @@ - host-interaction/service/pause-service @mr-tz - persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com - host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com +- compiler/cx_freeze/compiled-with-cx_freeze @mr-tz jakub.jozwiak@mandiant.com - ### Bug Fixes From 0a74eb671f1fedae9aa885fe50eeea1b90a50faa Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:58:23 +0000 Subject: [PATCH 14/17] Sync capa rules submodule --- CHANGELOG.md | 3 ++- README.md | 2 +- rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5aa96cb2..a0b973cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (15) +### New Rules (16) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -25,6 +25,7 @@ - persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com - host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com - compiler/cx_freeze/compiled-with-cx_freeze @mr-tz jakub.jozwiak@mandiant.com +- communication/socket/create-vmci-socket jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index 7d73da68..b1d5a1bd 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-804-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-805-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index b46b6b26..6b449aa9 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit b46b6b2687b9395dfa4e66ff5001122b8fed510d +Subproject commit 6b449aa96f0e737dc0ed70c5f61ed5836c5f68f9 From 16ce6a5ef243adc132a483f897e761ca09d37f9e Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 08:57:27 +0000 Subject: [PATCH 15/17] Sync capa rules submodule --- CHANGELOG.md | 5 ++++- README.md | 2 +- rules | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a0b973cc..0ecf391b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (16) +### New Rules (19) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -26,6 +26,9 @@ - host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com - compiler/cx_freeze/compiled-with-cx_freeze @mr-tz jakub.jozwiak@mandiant.com - communication/socket/create-vmci-socket jakub.jozwiak@mandiant.com +- persistence/office/act-as-excel-xll-add-in jakub.jozwiak@mandiant.com +- persistence/office/act-as-office-com-add-in jakub.jozwiak@mandiant.com +- persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/README.md b/README.md index b1d5a1bd..2458b9b5 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa) [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases) -[![Number of rules](https://img.shields.io/badge/rules-805-blue.svg)](https://github.com/mandiant/capa-rules) +[![Number of rules](https://img.shields.io/badge/rules-808-blue.svg)](https://github.com/mandiant/capa-rules) [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster) [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) diff --git a/rules b/rules index 6b449aa9..e541c244 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 6b449aa96f0e737dc0ed70c5f61ed5836c5f68f9 +Subproject commit e541c2444fa294452e0f908cdebb5f094495ad8c From a6763d8882540af6a128915a8cb38d248a66b762 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 08:59:18 +0000 Subject: [PATCH 16/17] Sync capa rules submodule --- CHANGELOG.md | 3 ++- rules | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ecf391b..12a29261 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Breaking Changes - Update Metadata type in capa main [#1411](https://github.com/mandiant/capa/issues/1411) [@Aayush-Goel-04](https://github.com/aayush-goel-04) @manasghandat -### New Rules (19) +### New Rules (20) - load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com - nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com @@ -29,6 +29,7 @@ - persistence/office/act-as-excel-xll-add-in jakub.jozwiak@mandiant.com - persistence/office/act-as-office-com-add-in jakub.jozwiak@mandiant.com - persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com +- anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com - ### Bug Fixes diff --git a/rules b/rules index e541c244..76eccb54 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit e541c2444fa294452e0f908cdebb5f094495ad8c +Subproject commit 76eccb548b502f83522d885c93256bfcd91ccc79 From 1a2e034ee03a29ae45e4253224717b81ade204e6 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Sat, 24 Jun 2023 10:31:14 +0200 Subject: [PATCH 17/17] update data via script --- CHANGELOG.md | 1 + scripts/linter-data.json | 25 ++++++++++++++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12a29261..2e78e731 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -49,6 +49,7 @@ ### capa explorer IDA Pro plugin ### Development +- update ATT&CK/MBC data for linting #1568 @mr-tz ### Raw diffs - [capa v5.1.0...master](https://github.com/mandiant/capa/compare/v5.1.0...master) diff --git a/scripts/linter-data.json b/scripts/linter-data.json index 5b9eb2ab..3be54c62 100644 --- a/scripts/linter-data.json +++ b/scripts/linter-data.json @@ -54,6 +54,7 @@ "T1583.005": "Acquire Infrastructure::Botnet", "T1583.006": "Acquire Infrastructure::Web Services", "T1583.007": "Acquire Infrastructure::Serverless", + "T1583.008": "Acquire Infrastructure::Malvertising", "T1584": "Compromise Infrastructure", "T1584.001": "Compromise Infrastructure::Domains", "T1584.002": "Compromise Infrastructure::DNS Server", @@ -88,7 +89,8 @@ "T1608.003": "Stage Capabilities::Install Digital Certificate", "T1608.004": "Stage Capabilities::Drive-by Target", "T1608.005": "Stage Capabilities::Link Target", - "T1608.006": "Stage Capabilities::SEO Poisoning" + "T1608.006": "Stage Capabilities::SEO Poisoning", + "T1650": "Acquire Access" }, "Initial Access": { "T1078": "Valid Accounts", @@ -128,6 +130,7 @@ "T1059.006": "Command and Scripting Interpreter::Python", "T1059.007": "Command and Scripting Interpreter::JavaScript", "T1059.008": "Command and Scripting Interpreter::Network Device CLI", + "T1059.009": "Command and Scripting Interpreter::Cloud API", "T1072": "Software Deployment Tools", "T1106": "Native API", "T1129": "Shared Modules", @@ -145,7 +148,8 @@ "T1569.002": "System Services::Service Execution", "T1609": "Container Administration Command", "T1610": "Deploy Container", - "T1648": "Serverless Execution" + "T1648": "Serverless Execution", + "T1651": "Cloud Administration Command" }, "Persistence": { "T1037": "Boot or Logon Initialization Scripts", @@ -247,6 +251,7 @@ "T1556.005": "Modify Authentication Process::Reversible Encryption", "T1556.006": "Modify Authentication Process::Multi-Factor Authentication", "T1556.007": "Modify Authentication Process::Hybrid Identity", + "T1556.008": "Modify Authentication Process::Network Provider DLL", "T1574": "Hijack Execution Flow", "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", "T1574.002": "Hijack Execution Flow::DLL Side-Loading", @@ -372,6 +377,8 @@ "T1027.007": "Obfuscated Files or Information::Dynamic API Resolution", "T1027.008": "Obfuscated Files or Information::Stripped Payloads", "T1027.009": "Obfuscated Files or Information::Embedded Payloads", + "T1027.010": "Obfuscated Files or Information::Command Obfuscation", + "T1027.011": "Obfuscated Files or Information::Fileless Storage", "T1036": "Masquerading", "T1036.001": "Masquerading::Invalid Code Signature", "T1036.002": "Masquerading::Right-to-Left Override", @@ -380,6 +387,7 @@ "T1036.005": "Masquerading::Match Legitimate Name or Location", "T1036.006": "Masquerading::Space after Filename", "T1036.007": "Masquerading::Double File Extension", + "T1036.008": "Masquerading::Masquerade File Type", "T1055": "Process Injection", "T1055.001": "Process Injection::Dynamic-link Library Injection", "T1055.002": "Process Injection::Portable Executable Injection", @@ -487,6 +495,7 @@ "T1556.005": "Modify Authentication Process::Reversible Encryption", "T1556.006": "Modify Authentication Process::Multi-Factor Authentication", "T1556.007": "Modify Authentication Process::Hybrid Identity", + "T1556.008": "Modify Authentication Process::Network Provider DLL", "T1562": "Impair Defenses", "T1562.001": "Impair Defenses::Disable or Modify Tools", "T1562.002": "Impair Defenses::Disable Windows Event Logging", @@ -497,6 +506,7 @@ "T1562.008": "Impair Defenses::Disable Cloud Logs", "T1562.009": "Impair Defenses::Safe Mode Boot", "T1562.010": "Impair Defenses::Downgrade Attack", + "T1562.011": "Impair Defenses::Spoof Security Alerting", "T1564": "Hide Artifacts", "T1564.001": "Hide Artifacts::Hidden Files and Directories", "T1564.002": "Hide Artifacts::Hidden Users", @@ -574,6 +584,7 @@ "T1552.005": "Unsecured Credentials::Cloud Instance Metadata API", "T1552.006": "Unsecured Credentials::Group Policy Preferences", "T1552.007": "Unsecured Credentials::Container API", + "T1552.008": "Unsecured Credentials::Chat Messages", "T1555": "Credentials from Password Stores", "T1555.001": "Credentials from Password Stores::Keychain", "T1555.002": "Credentials from Password Stores::Securityd Memory", @@ -588,6 +599,7 @@ "T1556.005": "Modify Authentication Process::Reversible Encryption", "T1556.006": "Modify Authentication Process::Multi-Factor Authentication", "T1556.007": "Modify Authentication Process::Hybrid Identity", + "T1556.008": "Modify Authentication Process::Network Provider DLL", "T1557": "Adversary-in-the-Middle", "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay", "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning", @@ -630,7 +642,7 @@ "T1124": "System Time Discovery", "T1135": "Network Share Discovery", "T1201": "Password Policy Discovery", - "T1217": "Browser Bookmark Discovery", + "T1217": "Browser Information Discovery", "T1482": "Domain Trust Discovery", "T1497": "Virtualization/Sandbox Evasion", "T1497.001": "Virtualization/Sandbox Evasion::System Checks", @@ -646,7 +658,8 @@ "T1614.001": "System Location Discovery::System Language Discovery", "T1615": "Group Policy Discovery", "T1619": "Cloud Storage Object Discovery", - "T1622": "Debugger Evasion" + "T1622": "Debugger Evasion", + "T1652": "Device Driver Discovery" }, "Lateral Movement": { "T1021": "Remote Services", @@ -656,6 +669,7 @@ "T1021.004": "Remote Services::SSH", "T1021.005": "Remote Services::VNC", "T1021.006": "Remote Services::Windows Remote Management", + "T1021.007": "Remote Services::Cloud Services", "T1072": "Software Deployment Tools", "T1080": "Taint Shared Content", "T1091": "Replication Through Removable Media", @@ -768,7 +782,8 @@ "T1537": "Transfer Data to Cloud Account", "T1567": "Exfiltration Over Web Service", "T1567.001": "Exfiltration Over Web Service::Exfiltration to Code Repository", - "T1567.002": "Exfiltration Over Web Service::Exfiltration to Cloud Storage" + "T1567.002": "Exfiltration Over Web Service::Exfiltration to Cloud Storage", + "T1567.003": "Exfiltration Over Web Service::Exfiltration to Text Storage Sites" }, "Impact": { "T1485": "Data Destruction",