From 122fb5f9f1bd54d92ef26e86dce1dc70f03e5866 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jan 2022 14:18:07 +0000 Subject: [PATCH 01/11] build(deps-dev): bump types-termcolor from 1.1.2 to 1.1.3 Bumps [types-termcolor](https://github.com/python/typeshed) from 1.1.2 to 1.1.3. - [Release notes](https://github.com/python/typeshed/releases) - [Commits](https://github.com/python/typeshed/commits) --- updated-dependencies: - dependency-name: types-termcolor dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index f07b0ca3..d3f4c75d 100644 --- a/setup.py +++ b/setup.py @@ -81,7 +81,7 @@ setuptools.setup( "types-colorama==0.4.6", "types-PyYAML==6.0.3", "types-tabulate==0.8.5", - "types-termcolor==1.1.2", + "types-termcolor==1.1.3", "types-psutil==5.8.19", ], }, From 60a30518bc87464411e1447dd6665b66534288de Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Sat, 8 Jan 2022 17:23:53 +0100 Subject: [PATCH 02/11] linter: add mitre att&ck ttps extraction script --- scripts/setup-linter-dependencies.py | 92 ++++++++++++++++++++++++++++ setup.py | 2 + 2 files changed, 94 insertions(+) create mode 100644 scripts/setup-linter-dependencies.py diff --git a/scripts/setup-linter-dependencies.py b/scripts/setup-linter-dependencies.py new file mode 100644 index 00000000..ced6342b --- /dev/null +++ b/scripts/setup-linter-dependencies.py @@ -0,0 +1,92 @@ +import json + +import requests +from stix2 import Filter, MemoryStore, AttackPattern + + +class StixExtractor: + def __init__(self, url): + stix_json = requests.get(url).json() + self._memory_store = MemoryStore(stix_data=stix_json["objects"]) + + def _process_attack_patterns(self, attack_patterns): + return attack_patterns + + def _get_attack_patterns(self): + results = self._memory_store.query([Filter("type", "=", "attack-pattern")]) + return self._process_attack_patterns(results) + + +class AttckStixExtractor(StixExtractor): + def _process_attack_patterns(self, stix_objects) -> list[AttackPattern]: + """Remove any revoked or deprecated objects from queries made to the data source""" + # Note we use .get() because the property may not be present in the JSON data. The default is False + # if the property is not set. + return list( + filter( + lambda x: x.get("x_mitre_deprecated", False) is False and x.get("revoked", False) is False, + stix_objects, + ) + ) + + def _get_tactics(self): + # Only one matrix -> enterprise att&ck + matrix = self._memory_store.query( + [ + Filter("type", "=", "x-mitre-matrix"), + ] + )[0] + return [self._memory_store.get(tid) for tid in matrix["tactic_refs"]] + + def _get_techniques_from_tactic(self, tactic): + return self._memory_store.query( + [ + Filter("type", "=", "attack-pattern"), + Filter("kill_chain_phases.phase_name", "=", tactic["x_mitre_shortname"]), + Filter( + "kill_chain_phases.kill_chain_name", "=", "mitre-attack" + ), # kill chain name for enterprise att&ck + ] + ) + + def _get_parent_technique_from_subtechnique(self, subtechnique): + tid = subtechnique["external_references"][0]["external_id"].split(".")[0] + return self._memory_store.query( + [ + Filter("type", "=", "attack-pattern"), + Filter("external_references.external_id", "=", tid), + ] + )[0] + + def run(self): + result = {} + tactics = self._get_tactics() + for tactic in tactics: + result[tactic["name"]] = {} + techniques = self._get_techniques_from_tactic(tactic) + for technique in techniques: + if technique["x_mitre_is_subtechnique"]: + parent_technique = self._get_parent_technique_from_subtechnique(technique) + result[tactic["name"]][f"{parent_technique['name']}::{technique['name']}"] = technique[ + "external_references" + ][0]["external_id"] + else: + result[tactic["name"]][technique["name"]] = technique["external_references"][0]["external_id"] + return result + + +class MbcStixExtractor(StixExtractor): + ... + + +def main(): + s = AttckStixExtractor( + "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json" + ) + r = s.run() + with open("attack.json", "w") as jf: + json.dump(r, jf, indent=2) + + +if __name__ == "__main__": + main() diff --git a/setup.py b/setup.py index d3f4c75d..7618a2f4 100644 --- a/setup.py +++ b/setup.py @@ -76,6 +76,8 @@ setuptools.setup( "isort==5.10.1", "mypy==0.931", "psutil==5.9.0", + "stix2==3.0.1", + "requests==2.27.1", # type stubs for mypy "types-backports==0.1.3", "types-colorama==0.4.6", From fa99782f0254b28014351dd257b5be04d82c28a6 Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Sat, 8 Jan 2022 22:20:52 +0100 Subject: [PATCH 03/11] linter: add a linter rule that checks for invalid att&ck technique --- scripts/lint.py | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/scripts/lint.py b/scripts/lint.py index 0047d574..181770a0 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -15,7 +15,9 @@ See the License for the specific language governing permissions and limitations """ import gc import os +import re import sys +import json import time import string import difflib @@ -221,6 +223,41 @@ class ExampleFileDNE(Lint): return not found +class InvalidAttckTechnique(Lint): + name = "att&ck technique is malformed" + recommendation = """ + The att&ck field must respect the following format: + :: [] + OR + :::: [] + """ + + def __init__(self): + super(InvalidAttckTechnique, self).__init__() + + # This regex match the format defined in the recommandation attribute + self.reg = re.compile("^([a-zA-Z| ]+)::(.*) \[(T\d+\.?\d*)\]$") + with open("scripts/attack.json", "r") as jf: + self.techniques = json.load(jf) + + def check_rule(self, ctx: Context, rule: Rule): + if "att&ck" in rule.meta.keys(): + for r in rule.meta["att&ck"]: + m = self.reg.match(r) + if m: + tactic, technique, tid = m.group(1, 2, 3) + if tactic not in self.techniques.keys(): + self.name = "Unknown tactic: {tactic}" + return True + if technique not in self.techniques[tactic].keys(): + self.name = f"Unknown technique: {technique}" + return True + if self.techniques[tactic][technique] != tid: + self.name = f"The technique {technique} should have ID {self.techniques[tactic][technique]} instead of {tid}" + return True + return False + + DEFAULT_SIGNATURES = capa.main.get_default_signatures() @@ -647,6 +684,7 @@ META_LINTS = ( UnusualMetaField(), LibRuleNotInLibDirectory(), LibRuleHasNamespace(), + InvalidAttckTechnique(), ) From 67d8d832c9428d5000d80ae0a16086f530904a9a Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Sat, 8 Jan 2022 23:38:13 +0100 Subject: [PATCH 04/11] linter: refactor att&ck linter and add attck json data --- scripts/lint.py | 14 +- scripts/linter-data.json | 761 +++++++++++++++++++++++++++ scripts/setup-linter-dependencies.py | 111 ++-- setup.py | 1 + 4 files changed, 826 insertions(+), 61 deletions(-) create mode 100644 scripts/linter-data.json diff --git a/scripts/lint.py b/scripts/lint.py index 181770a0..a01a5660 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -224,7 +224,7 @@ class ExampleFileDNE(Lint): class InvalidAttckTechnique(Lint): - name = "att&ck technique is malformed" + name = "att&ck technique is malformed or does not exist" recommendation = """ The att&ck field must respect the following format: :: [] @@ -237,7 +237,7 @@ class InvalidAttckTechnique(Lint): # This regex match the format defined in the recommandation attribute self.reg = re.compile("^([a-zA-Z| ]+)::(.*) \[(T\d+\.?\d*)\]$") - with open("scripts/attack.json", "r") as jf: + with open("scripts/linter-data.json", "r") as jf: self.techniques = json.load(jf) def check_rule(self, ctx: Context, rule: Rule): @@ -247,13 +247,13 @@ class InvalidAttckTechnique(Lint): if m: tactic, technique, tid = m.group(1, 2, 3) if tactic not in self.techniques.keys(): - self.name = "Unknown tactic: {tactic}" + self.recommendation = f'Unknown tactic: "{tactic}"' return True - if technique not in self.techniques[tactic].keys(): - self.name = f"Unknown technique: {technique}" + if tid not in self.techniques[tactic].keys(): + self.recommendation = f"Unknown technique ID: {tid}" return True - if self.techniques[tactic][technique] != tid: - self.name = f"The technique {technique} should have ID {self.techniques[tactic][technique]} instead of {tid}" + if self.techniques[tactic][tid] != technique: + self.recommendation = f'{tid} should be associated to technique "{self.techniques[tactic][tid]}" instead of "{technique}"' return True return False diff --git a/scripts/linter-data.json b/scripts/linter-data.json new file mode 100644 index 00000000..ee0a26a6 --- /dev/null +++ b/scripts/linter-data.json @@ -0,0 +1,761 @@ +{ + "Reconnaissance": { + "T1595": "Active Scanning", + "T1591.002": "Gather Victim Org Information::Business Relationships", + "T1596.004": "Search Open Technical Databases::CDNs", + "T1592.004": "Gather Victim Host Information::Client Configurations", + "T1589.001": "Gather Victim Identity Information::Credentials", + "T1590.002": "Gather Victim Network Information::DNS", + "T1596.001": "Search Open Technical Databases::DNS/Passive DNS", + "T1591.001": "Gather Victim Org Information::Determine Physical Locations", + "T1596.003": "Search Open Technical Databases::Digital Certificates", + "T1590.001": "Gather Victim Network Information::Domain Properties", + "T1589.002": "Gather Victim Identity Information::Email Addresses", + "T1589.003": "Gather Victim Identity Information::Employee Names", + "T1592.003": "Gather Victim Host Information::Firmware", + "T1592": "Gather Victim Host Information", + "T1589": "Gather Victim Identity Information", + "T1590": "Gather Victim Network Information", + "T1591": "Gather Victim Org Information", + "T1592.001": "Gather Victim Host Information::Hardware", + "T1590.005": "Gather Victim Network Information::IP Addresses", + "T1591.003": "Gather Victim Org Information::Identify Business Tempo", + "T1591.004": "Gather Victim Org Information::Identify Roles", + "T1590.006": "Gather Victim Network Information::Network Security Appliances", + "T1590.004": "Gather Victim Network Information::Network Topology", + "T1590.003": "Gather Victim Network Information::Network Trust Dependencies", + "T1598": "Phishing for Information", + "T1597.002": "Search Closed Sources::Purchase Technical Data", + "T1596.005": "Search Open Technical Databases::Scan Databases", + "T1595.001": "Active Scanning::Scanning IP Blocks", + "T1597": "Search Closed Sources", + "T1593.002": "Search Open Websites/Domains::Search Engines", + "T1596": "Search Open Technical Databases", + "T1593": "Search Open Websites/Domains", + "T1594": "Search Victim-Owned Websites", + "T1593.001": "Search Open Websites/Domains::Social Media", + "T1592.002": "Gather Victim Host Information::Software", + "T1598.002": "Phishing for Information::Spearphishing Attachment", + "T1598.003": "Phishing for Information::Spearphishing Link", + "T1598.001": "Phishing for Information::Spearphishing Service", + "T1597.001": "Search Closed Sources::Threat Intel Vendors", + "T1595.002": "Active Scanning::Vulnerability Scanning", + "T1596.002": "Search Open Technical Databases::WHOIS" + }, + "Resource Development": { + "T1583": "Acquire Infrastructure", + "T1583.005": "Acquire Infrastructure::Botnet", + "T1584.005": "Compromise Infrastructure::Botnet", + "T1587.002": "Develop Capabilities::Code Signing Certificates", + "T1588.003": "Obtain Capabilities::Code Signing Certificates", + "T1586": "Compromise Accounts", + "T1584": "Compromise Infrastructure", + "T1583.002": "Acquire Infrastructure::DNS Server", + "T1584.002": "Compromise Infrastructure::DNS Server", + "T1587": "Develop Capabilities", + "T1587.003": "Develop Capabilities::Digital Certificates", + "T1588.004": "Obtain Capabilities::Digital Certificates", + "T1583.001": "Acquire Infrastructure::Domains", + "T1584.001": "Compromise Infrastructure::Domains", + "T1608.004": "Stage Capabilities::Drive-by Target", + "T1585.002": "Establish Accounts::Email Accounts", + "T1586.002": "Compromise Accounts::Email Accounts", + "T1585": "Establish Accounts", + "T1587.004": "Develop Capabilities::Exploits", + "T1588.005": "Obtain Capabilities::Exploits", + "T1608.003": "Stage Capabilities::Install Digital Certificate", + "T1608.005": "Stage Capabilities::Link Target", + "T1587.001": "Develop Capabilities::Malware", + "T1588.001": "Obtain Capabilities::Malware", + "T1588": "Obtain Capabilities", + "T1583.004": "Acquire Infrastructure::Server", + "T1584.004": "Compromise Infrastructure::Server", + "T1585.001": "Establish Accounts::Social Media Accounts", + "T1586.001": "Compromise Accounts::Social Media Accounts", + "T1608": "Stage Capabilities", + "T1588.002": "Obtain Capabilities::Tool", + "T1608.001": "Stage Capabilities::Upload Malware", + "T1608.002": "Stage Capabilities::Upload Tool", + "T1583.003": "Acquire Infrastructure::Virtual Private Server", + "T1584.003": "Compromise Infrastructure::Virtual Private Server", + "T1588.006": "Obtain Capabilities::Vulnerabilities", + "T1583.006": "Acquire Infrastructure::Web Services", + "T1584.006": "Compromise Infrastructure::Web Services" + }, + "Initial Access": { + "T1078.004": "Valid Accounts::Cloud Accounts", + "T1195.003": "Supply Chain Compromise::Compromise Hardware Supply Chain", + "T1195.001": "Supply Chain Compromise::Compromise Software Dependencies and Development Tools", + "T1195.002": "Supply Chain Compromise::Compromise Software Supply Chain", + "T1078.001": "Valid Accounts::Default Accounts", + "T1078.002": "Valid Accounts::Domain Accounts", + "T1189": "Drive-by Compromise", + "T1190": "Exploit Public-Facing Application", + "T1133": "External Remote Services", + "T1200": "Hardware Additions", + "T1078.003": "Valid Accounts::Local Accounts", + "T1566": "Phishing", + "T1091": "Replication Through Removable Media", + "T1566.001": "Phishing::Spearphishing Attachment", + "T1566.002": "Phishing::Spearphishing Link", + "T1566.003": "Phishing::Spearphishing via Service", + "T1195": "Supply Chain Compromise", + "T1199": "Trusted Relationship", + "T1078": "Valid Accounts" + }, + "Execution": { + "T1059.002": "Command and Scripting Interpreter::AppleScript", + "T1053.001": "Scheduled Task/Job::At (Linux)", + "T1053.002": "Scheduled Task/Job::At (Windows)", + "T1059": "Command and Scripting Interpreter", + "T1559.001": "Inter-Process Communication::Component Object Model", + "T1609": "Container Administration Command", + "T1053.007": "Scheduled Task/Job::Container Orchestration Job", + "T1053.003": "Scheduled Task/Job::Cron", + "T1610": "Deploy Container", + "T1559.002": "Inter-Process Communication::Dynamic Data Exchange", + "T1203": "Exploitation for Client Execution", + "T1559": "Inter-Process Communication", + "T1059.007": "Command and Scripting Interpreter::JavaScript", + "T1569.001": "System Services::Launchctl", + "T1204.002": "User Execution::Malicious File", + "T1204.003": "User Execution::Malicious Image", + "T1204.001": "User Execution::Malicious Link", + "T1106": "Native API", + "T1059.008": "Command and Scripting Interpreter::Network Device CLI", + "T1059.001": "Command and Scripting Interpreter::PowerShell", + "T1059.006": "Command and Scripting Interpreter::Python", + "T1053.005": "Scheduled Task/Job::Scheduled Task", + "T1053": "Scheduled Task/Job", + "T1569.002": "System Services::Service Execution", + "T1129": "Shared Modules", + "T1072": "Software Deployment Tools", + "T1569": "System Services", + "T1053.006": "Scheduled Task/Job::Systemd Timers", + "T1059.004": "Command and Scripting Interpreter::Unix Shell", + "T1204": "User Execution", + "T1059.005": "Command and Scripting Interpreter::Visual Basic", + "T1059.003": "Command and Scripting Interpreter::Windows Command Shell", + "T1047": "Windows Management Instrumentation" + }, + "Persistence": { + "T1546.008": "Event Triggered Execution::Accessibility Features", + "T1098": "Account Manipulation", + "T1547.014": "Boot or Logon Autostart Execution::Active Setup", + "T1098.003": "Account Manipulation::Add Office 365 Global Administrator Role", + "T1137.006": "Office Application Startup::Add-ins", + "T1098.001": "Account Manipulation::Additional Cloud Credentials", + "T1546.009": "Event Triggered Execution::AppCert DLLs", + "T1546.010": "Event Triggered Execution::AppInit DLLs", + "T1546.011": "Event Triggered Execution::Application Shimming", + "T1053.001": "Scheduled Task/Job::At (Linux)", + "T1053.002": "Scheduled Task/Job::At (Windows)", + "T1547.002": "Boot or Logon Autostart Execution::Authentication Package", + "T1197": "BITS Jobs", + "T1547": "Boot or Logon Autostart Execution", + "T1037": "Boot or Logon Initialization Scripts", + "T1542.003": "Pre-OS Boot::Bootkit", + "T1176": "Browser Extensions", + "T1574.012": "Hijack Execution Flow::COR_PROFILER", + "T1546.001": "Event Triggered Execution::Change Default File Association", + "T1136.003": "Create Account::Cloud Account", + "T1078.004": "Valid Accounts::Cloud Accounts", + "T1542.002": "Pre-OS Boot::Component Firmware", + "T1546.015": "Event Triggered Execution::Component Object Model Hijacking", + "T1554": "Compromise Client Software Binary", + "T1053.007": "Scheduled Task/Job::Container Orchestration Job", + "T1136": "Create Account", + "T1543": "Create or Modify System Process", + "T1053.003": "Scheduled Task/Job::Cron", + "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", + "T1574.002": "Hijack Execution Flow::DLL Side-Loading", + "T1078.001": "Valid Accounts::Default Accounts", + "T1136.002": "Create Account::Domain Account", + "T1078.002": "Valid Accounts::Domain Accounts", + "T1556.001": "Modify Authentication Process::Domain Controller Authentication", + "T1574.004": "Hijack Execution Flow::Dylib Hijacking", + "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", + "T1546.014": "Event Triggered Execution::Emond", + "T1546": "Event Triggered Execution", + "T1098.002": "Account Manipulation::Exchange Email Delegate Permissions", + "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", + "T1133": "External Remote Services", + "T1574": "Hijack Execution Flow", + "T1505.004": "Server Software Component::IIS Components", + "T1546.012": "Event Triggered Execution::Image File Execution Options Injection", + "T1525": "Implant Internal Image", + "T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions", + "T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition", + "T1547.008": "Boot or Logon Autostart Execution::LSASS Driver", + "T1543.001": "Create or Modify System Process::Launch Agent", + "T1543.004": "Create or Modify System Process::Launch Daemon", + "T1136.001": "Create Account::Local Account", + "T1078.003": "Valid Accounts::Local Accounts", + "T1547.015": "Boot or Logon Autostart Execution::Login Items", + "T1037.002": "Boot or Logon Initialization Scripts::Logon Script (Mac)", + "T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)", + "T1556": "Modify Authentication Process", + "T1546.007": "Event Triggered Execution::Netsh Helper DLL", + "T1556.004": "Modify Authentication Process::Network Device Authentication", + "T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script", + "T1137": "Office Application Startup", + "T1137.001": "Office Application Startup::Office Template Macros", + "T1137.002": "Office Application Startup::Office Test", + "T1137.003": "Office Application Startup::Outlook Forms", + "T1137.004": "Office Application Startup::Outlook Home Page", + "T1137.005": "Office Application Startup::Outlook Rules", + "T1556.002": "Modify Authentication Process::Password Filter DLL", + "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", + "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", + "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", + "T1547.011": "Boot or Logon Autostart Execution::Plist Modification", + "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", + "T1205.001": "Traffic Signaling::Port Knocking", + "T1547.010": "Boot or Logon Autostart Execution::Port Monitors", + "T1546.013": "Event Triggered Execution::PowerShell Profile", + "T1542": "Pre-OS Boot", + "T1547.012": "Boot or Logon Autostart Execution::Print Processors", + "T1037.004": "Boot or Logon Initialization Scripts::RC Scripts", + "T1542.004": "Pre-OS Boot::ROMMONkit", + "T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications", + "T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder", + "T1505.001": "Server Software Component::SQL Stored Procedures", + "T1098.004": "Account Manipulation::SSH Authorized Keys", + "T1053.005": "Scheduled Task/Job::Scheduled Task", + "T1053": "Scheduled Task/Job", + "T1546.002": "Event Triggered Execution::Screensaver", + "T1547.005": "Boot or Logon Autostart Execution::Security Support Provider", + "T1505": "Server Software Component", + "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", + "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", + "T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification", + "T1037.005": "Boot or Logon Initialization Scripts::Startup Items", + "T1542.001": "Pre-OS Boot::System Firmware", + "T1543.002": "Create or Modify System Process::Systemd Service", + "T1053.006": "Scheduled Task/Job::Systemd Timers", + "T1542.005": "Pre-OS Boot::TFTP Boot", + "T1547.003": "Boot or Logon Autostart Execution::Time Providers", + "T1205": "Traffic Signaling", + "T1505.002": "Server Software Component::Transport Agent", + "T1546.005": "Event Triggered Execution::Trap", + "T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification", + "T1078": "Valid Accounts", + "T1505.003": "Server Software Component::Web Shell", + "T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription", + "T1543.003": "Create or Modify System Process::Windows Service", + "T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL", + "T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries" + }, + "Privilege Escalation": { + "T1548": "Abuse Elevation Control Mechanism", + "T1134": "Access Token Manipulation", + "T1546.008": "Event Triggered Execution::Accessibility Features", + "T1547.014": "Boot or Logon Autostart Execution::Active Setup", + "T1546.009": "Event Triggered Execution::AppCert DLLs", + "T1546.010": "Event Triggered Execution::AppInit DLLs", + "T1546.011": "Event Triggered Execution::Application Shimming", + "T1055.004": "Process Injection::Asynchronous Procedure Call", + "T1053.001": "Scheduled Task/Job::At (Linux)", + "T1053.002": "Scheduled Task/Job::At (Windows)", + "T1547.002": "Boot or Logon Autostart Execution::Authentication Package", + "T1547": "Boot or Logon Autostart Execution", + "T1037": "Boot or Logon Initialization Scripts", + "T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control", + "T1574.012": "Hijack Execution Flow::COR_PROFILER", + "T1546.001": "Event Triggered Execution::Change Default File Association", + "T1078.004": "Valid Accounts::Cloud Accounts", + "T1546.015": "Event Triggered Execution::Component Object Model Hijacking", + "T1053.007": "Scheduled Task/Job::Container Orchestration Job", + "T1134.002": "Access Token Manipulation::Create Process with Token", + "T1543": "Create or Modify System Process", + "T1053.003": "Scheduled Task/Job::Cron", + "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", + "T1574.002": "Hijack Execution Flow::DLL Side-Loading", + "T1078.001": "Valid Accounts::Default Accounts", + "T1078.002": "Valid Accounts::Domain Accounts", + "T1484": "Domain Policy Modification", + "T1484.002": "Domain Policy Modification::Domain Trust Modification", + "T1574.004": "Hijack Execution Flow::Dylib Hijacking", + "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", + "T1055.001": "Process Injection::Dynamic-link Library Injection", + "T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt", + "T1546.014": "Event Triggered Execution::Emond", + "T1611": "Escape to Host", + "T1546": "Event Triggered Execution", + "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", + "T1068": "Exploitation for Privilege Escalation", + "T1055.011": "Process Injection::Extra Window Memory Injection", + "T1484.001": "Domain Policy Modification::Group Policy Modification", + "T1574": "Hijack Execution Flow", + "T1546.012": "Event Triggered Execution::Image File Execution Options Injection", + "T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions", + "T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition", + "T1547.008": "Boot or Logon Autostart Execution::LSASS Driver", + "T1543.001": "Create or Modify System Process::Launch Agent", + "T1543.004": "Create or Modify System Process::Launch Daemon", + "T1078.003": "Valid Accounts::Local Accounts", + "T1547.015": "Boot or Logon Autostart Execution::Login Items", + "T1037.002": "Boot or Logon Initialization Scripts::Logon Script (Mac)", + "T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)", + "T1134.003": "Access Token Manipulation::Make and Impersonate Token", + "T1546.007": "Event Triggered Execution::Netsh Helper DLL", + "T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script", + "T1134.004": "Access Token Manipulation::Parent PID Spoofing", + "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", + "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", + "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", + "T1547.011": "Boot or Logon Autostart Execution::Plist Modification", + "T1547.010": "Boot or Logon Autostart Execution::Port Monitors", + "T1055.002": "Process Injection::Portable Executable Injection", + "T1546.013": "Event Triggered Execution::PowerShell Profile", + "T1547.012": "Boot or Logon Autostart Execution::Print Processors", + "T1055.009": "Process Injection::Proc Memory", + "T1055.013": "Process Injection::Process Doppelg\u00e4nging", + "T1055.012": "Process Injection::Process Hollowing", + "T1055": "Process Injection", + "T1055.008": "Process Injection::Ptrace System Calls", + "T1037.004": "Boot or Logon Initialization Scripts::RC Scripts", + "T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications", + "T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder", + "T1134.005": "Access Token Manipulation::SID-History Injection", + "T1053.005": "Scheduled Task/Job::Scheduled Task", + "T1053": "Scheduled Task/Job", + "T1546.002": "Event Triggered Execution::Screensaver", + "T1547.005": "Boot or Logon Autostart Execution::Security Support Provider", + "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", + "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", + "T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid", + "T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification", + "T1037.005": "Boot or Logon Initialization Scripts::Startup Items", + "T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching", + "T1543.002": "Create or Modify System Process::Systemd Service", + "T1053.006": "Scheduled Task/Job::Systemd Timers", + "T1055.003": "Process Injection::Thread Execution Hijacking", + "T1055.005": "Process Injection::Thread Local Storage", + "T1547.003": "Boot or Logon Autostart Execution::Time Providers", + "T1134.001": "Access Token Manipulation::Token Impersonation/Theft", + "T1546.005": "Event Triggered Execution::Trap", + "T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification", + "T1055.014": "Process Injection::VDSO Hijacking", + "T1078": "Valid Accounts", + "T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription", + "T1543.003": "Create or Modify System Process::Windows Service", + "T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL", + "T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries" + }, + "Defense Evasion": { + "T1548": "Abuse Elevation Control Mechanism", + "T1134": "Access Token Manipulation", + "T1550.001": "Use Alternate Authentication Material::Application Access Token", + "T1055.004": "Process Injection::Asynchronous Procedure Call", + "T1197": "BITS Jobs", + "T1027.001": "Obfuscated Files or Information::Binary Padding", + "T1542.003": "Pre-OS Boot::Bootkit", + "T1612": "Build Image on Host", + "T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control", + "T1218.003": "Signed Binary Proxy Execution::CMSTP", + "T1574.012": "Hijack Execution Flow::COR_PROFILER", + "T1070.003": "Indicator Removal on Host::Clear Command History", + "T1070.002": "Indicator Removal on Host::Clear Linux or Mac System Logs", + "T1070.001": "Indicator Removal on Host::Clear Windows Event Logs", + "T1078.004": "Valid Accounts::Cloud Accounts", + "T1553.002": "Subvert Trust Controls::Code Signing", + "T1553.006": "Subvert Trust Controls::Code Signing Policy Modification", + "T1027.004": "Obfuscated Files or Information::Compile After Delivery", + "T1218.001": "Signed Binary Proxy Execution::Compiled HTML File", + "T1542.002": "Pre-OS Boot::Component Firmware", + "T1218.002": "Signed Binary Proxy Execution::Control Panel", + "T1578.002": "Modify Cloud Compute Infrastructure::Create Cloud Instance", + "T1134.002": "Access Token Manipulation::Create Process with Token", + "T1578.001": "Modify Cloud Compute Infrastructure::Create Snapshot", + "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", + "T1574.002": "Hijack Execution Flow::DLL Side-Loading", + "T1078.001": "Valid Accounts::Default Accounts", + "T1578.003": "Modify Cloud Compute Infrastructure::Delete Cloud Instance", + "T1140": "Deobfuscate/Decode Files or Information", + "T1610": "Deploy Container", + "T1006": "Direct Volume Access", + "T1562.008": "Impair Defenses::Disable Cloud Logs", + "T1600.002": "Weaken Encryption::Disable Crypto Hardware", + "T1562.002": "Impair Defenses::Disable Windows Event Logging", + "T1562.007": "Impair Defenses::Disable or Modify Cloud Firewall", + "T1562.004": "Impair Defenses::Disable or Modify System Firewall", + "T1562.001": "Impair Defenses::Disable or Modify Tools", + "T1078.002": "Valid Accounts::Domain Accounts", + "T1556.001": "Modify Authentication Process::Domain Controller Authentication", + "T1484": "Domain Policy Modification", + "T1484.002": "Domain Policy Modification::Domain Trust Modification", + "T1036.007": "Masquerading::Double File Extension", + "T1562.010": "Impair Defenses::Downgrade Attack", + "T1601.002": "Modify System Image::Downgrade System Image", + "T1574.004": "Hijack Execution Flow::Dylib Hijacking", + "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", + "T1055.001": "Process Injection::Dynamic-link Library Injection", + "T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt", + "T1564.008": "Hide Artifacts::Email Hiding Rules", + "T1480.001": "Execution Guardrails::Environmental Keying", + "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", + "T1480": "Execution Guardrails", + "T1211": "Exploitation for Defense Evasion", + "T1055.011": "Process Injection::Extra Window Memory Injection", + "T1070.004": "Indicator Removal on Host::File Deletion", + "T1222": "File and Directory Permissions Modification", + "T1553.001": "Subvert Trust Controls::Gatekeeper Bypass", + "T1484.001": "Domain Policy Modification::Group Policy Modification", + "T1027.006": "Obfuscated Files or Information::HTML Smuggling", + "T1564.005": "Hide Artifacts::Hidden File System", + "T1564.001": "Hide Artifacts::Hidden Files and Directories", + "T1564.002": "Hide Artifacts::Hidden Users", + "T1564.003": "Hide Artifacts::Hidden Window", + "T1564": "Hide Artifacts", + "T1574": "Hijack Execution Flow", + "T1562.003": "Impair Defenses::Impair Command History Logging", + "T1562": "Impair Defenses", + "T1562.006": "Impair Defenses::Indicator Blocking", + "T1027.005": "Obfuscated Files or Information::Indicator Removal from Tools", + "T1070": "Indicator Removal on Host", + "T1202": "Indirect Command Execution", + "T1553.004": "Subvert Trust Controls::Install Root Certificate", + "T1218.004": "Signed Binary Proxy Execution::InstallUtil", + "T1036.001": "Masquerading::Invalid Code Signature", + "T1222.002": "File and Directory Permissions Modification::Linux and Mac File and Directory Permissions Modification", + "T1078.003": "Valid Accounts::Local Accounts", + "T1218.014": "Signed Binary Proxy Execution::MMC", + "T1127.001": "Trusted Developer Utilities Proxy Execution::MSBuild", + "T1134.003": "Access Token Manipulation::Make and Impersonate Token", + "T1553.005": "Subvert Trust Controls::Mark-of-the-Web Bypass", + "T1036.004": "Masquerading::Masquerade Task or Service", + "T1036": "Masquerading", + "T1036.005": "Masquerading::Match Legitimate Name or Location", + "T1218.013": "Signed Binary Proxy Execution::Mavinject", + "T1556": "Modify Authentication Process", + "T1578": "Modify Cloud Compute Infrastructure", + "T1112": "Modify Registry", + "T1601": "Modify System Image", + "T1218.005": "Signed Binary Proxy Execution::Mshta", + "T1218.007": "Signed Binary Proxy Execution::Msiexec", + "T1564.004": "Hide Artifacts::NTFS File Attributes", + "T1599.001": "Network Boundary Bridging::Network Address Translation Traversal", + "T1599": "Network Boundary Bridging", + "T1556.004": "Modify Authentication Process::Network Device Authentication", + "T1070.005": "Indicator Removal on Host::Network Share Connection Removal", + "T1027": "Obfuscated Files or Information", + "T1218.008": "Signed Binary Proxy Execution::Odbcconf", + "T1134.004": "Access Token Manipulation::Parent PID Spoofing", + "T1550.002": "Use Alternate Authentication Material::Pass the Hash", + "T1550.003": "Use Alternate Authentication Material::Pass the Ticket", + "T1556.002": "Modify Authentication Process::Password Filter DLL", + "T1601.001": "Modify System Image::Patch System Image", + "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", + "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", + "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", + "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", + "T1205.001": "Traffic Signaling::Port Knocking", + "T1055.002": "Process Injection::Portable Executable Injection", + "T1542": "Pre-OS Boot", + "T1055.009": "Process Injection::Proc Memory", + "T1055.013": "Process Injection::Process Doppelg\u00e4nging", + "T1055.012": "Process Injection::Process Hollowing", + "T1055": "Process Injection", + "T1055.008": "Process Injection::Ptrace System Calls", + "T1216.001": "Signed Script Proxy Execution::PubPrn", + "T1542.004": "Pre-OS Boot::ROMMONkit", + "T1600.001": "Weaken Encryption::Reduce Key Space", + "T1620": "Reflective Code Loading", + "T1218.009": "Signed Binary Proxy Execution::Regsvcs/Regasm", + "T1218.010": "Signed Binary Proxy Execution::Regsvr32", + "T1036.003": "Masquerading::Rename System Utilities", + "T1564.009": "Hide Artifacts::Resource Forking", + "T1578.004": "Modify Cloud Compute Infrastructure::Revert Cloud Instance", + "T1036.002": "Masquerading::Right-to-Left Override", + "T1207": "Rogue Domain Controller", + "T1014": "Rootkit", + "T1564.006": "Hide Artifacts::Run Virtual Instance", + "T1218.011": "Signed Binary Proxy Execution::Rundll32", + "T1134.005": "Access Token Manipulation::SID-History Injection", + "T1553.003": "Subvert Trust Controls::SIP and Trust Provider Hijacking", + "T1562.009": "Impair Defenses::Safe Mode Boot", + "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", + "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", + "T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid", + "T1218": "Signed Binary Proxy Execution", + "T1216": "Signed Script Proxy Execution", + "T1027.002": "Obfuscated Files or Information::Software Packing", + "T1036.006": "Masquerading::Space after Filename", + "T1027.003": "Obfuscated Files or Information::Steganography", + "T1553": "Subvert Trust Controls", + "T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching", + "T1497.001": "Virtualization/Sandbox Evasion::System Checks", + "T1542.001": "Pre-OS Boot::System Firmware", + "T1542.005": "Pre-OS Boot::TFTP Boot", + "T1221": "Template Injection", + "T1055.003": "Process Injection::Thread Execution Hijacking", + "T1055.005": "Process Injection::Thread Local Storage", + "T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion", + "T1070.006": "Indicator Removal on Host::Timestomp", + "T1134.001": "Access Token Manipulation::Token Impersonation/Theft", + "T1205": "Traffic Signaling", + "T1127": "Trusted Developer Utilities Proxy Execution", + "T1535": "Unused/Unsupported Cloud Regions", + "T1550": "Use Alternate Authentication Material", + "T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks", + "T1564.007": "Hide Artifacts::VBA Stomping", + "T1055.014": "Process Injection::VDSO Hijacking", + "T1078": "Valid Accounts", + "T1218.012": "Signed Binary Proxy Execution::Verclsid", + "T1497": "Virtualization/Sandbox Evasion", + "T1600": "Weaken Encryption", + "T1550.004": "Use Alternate Authentication Material::Web Session Cookie", + "T1222.001": "File and Directory Permissions Modification::Windows File and Directory Permissions Modification", + "T1220": "XSL Script Processing" + }, + "Credential Access": { + "T1003.008": "OS Credential Dumping::/etc/passwd and /etc/shadow", + "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning", + "T1558.004": "Steal or Forge Kerberos Tickets::AS-REP Roasting", + "T1557": "Adversary-in-the-Middle", + "T1552.003": "Unsecured Credentials::Bash History", + "T1110": "Brute Force", + "T1003.005": "OS Credential Dumping::Cached Domain Credentials", + "T1552.005": "Unsecured Credentials::Cloud Instance Metadata API", + "T1552.007": "Unsecured Credentials::Container API", + "T1056.004": "Input Capture::Credential API Hooking", + "T1110.004": "Brute Force::Credential Stuffing", + "T1552.001": "Unsecured Credentials::Credentials In Files", + "T1555": "Credentials from Password Stores", + "T1555.003": "Credentials from Password Stores::Credentials from Web Browsers", + "T1552.002": "Unsecured Credentials::Credentials in Registry", + "T1003.006": "OS Credential Dumping::DCSync", + "T1556.001": "Modify Authentication Process::Domain Controller Authentication", + "T1212": "Exploitation for Credential Access", + "T1187": "Forced Authentication", + "T1606": "Forge Web Credentials", + "T1056.002": "Input Capture::GUI Input Capture", + "T1558.001": "Steal or Forge Kerberos Tickets::Golden Ticket", + "T1552.006": "Unsecured Credentials::Group Policy Preferences", + "T1056": "Input Capture", + "T1558.003": "Steal or Forge Kerberos Tickets::Kerberoasting", + "T1555.001": "Credentials from Password Stores::Keychain", + "T1056.001": "Input Capture::Keylogging", + "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay", + "T1003.004": "OS Credential Dumping::LSA Secrets", + "T1003.001": "OS Credential Dumping::LSASS Memory", + "T1556": "Modify Authentication Process", + "T1003.003": "OS Credential Dumping::NTDS", + "T1556.004": "Modify Authentication Process::Network Device Authentication", + "T1040": "Network Sniffing", + "T1003": "OS Credential Dumping", + "T1110.002": "Brute Force::Password Cracking", + "T1556.002": "Modify Authentication Process::Password Filter DLL", + "T1110.001": "Brute Force::Password Guessing", + "T1555.005": "Credentials from Password Stores::Password Managers", + "T1110.003": "Brute Force::Password Spraying", + "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", + "T1552.004": "Unsecured Credentials::Private Keys", + "T1003.007": "OS Credential Dumping::Proc Filesystem", + "T1606.002": "Forge Web Credentials::SAML Tokens", + "T1003.002": "OS Credential Dumping::Security Account Manager", + "T1555.002": "Credentials from Password Stores::Securityd Memory", + "T1558.002": "Steal or Forge Kerberos Tickets::Silver Ticket", + "T1528": "Steal Application Access Token", + "T1539": "Steal Web Session Cookie", + "T1558": "Steal or Forge Kerberos Tickets", + "T1111": "Two-Factor Authentication Interception", + "T1552": "Unsecured Credentials", + "T1606.001": "Forge Web Credentials::Web Cookies", + "T1056.003": "Input Capture::Web Portal Capture", + "T1555.004": "Credentials from Password Stores::Windows Credential Manager" + }, + "Discovery": { + "T1087": "Account Discovery", + "T1010": "Application Window Discovery", + "T1217": "Browser Bookmark Discovery", + "T1087.004": "Account Discovery::Cloud Account", + "T1069.003": "Permission Groups Discovery::Cloud Groups", + "T1580": "Cloud Infrastructure Discovery", + "T1538": "Cloud Service Dashboard", + "T1526": "Cloud Service Discovery", + "T1619": "Cloud Storage Object Discovery", + "T1613": "Container and Resource Discovery", + "T1087.002": "Account Discovery::Domain Account", + "T1069.002": "Permission Groups Discovery::Domain Groups", + "T1482": "Domain Trust Discovery", + "T1087.003": "Account Discovery::Email Account", + "T1083": "File and Directory Discovery", + "T1615": "Group Policy Discovery", + "T1016.001": "System Network Configuration Discovery::Internet Connection Discovery", + "T1087.001": "Account Discovery::Local Account", + "T1069.001": "Permission Groups Discovery::Local Groups", + "T1046": "Network Service Scanning", + "T1135": "Network Share Discovery", + "T1040": "Network Sniffing", + "T1201": "Password Policy Discovery", + "T1120": "Peripheral Device Discovery", + "T1069": "Permission Groups Discovery", + "T1057": "Process Discovery", + "T1012": "Query Registry", + "T1018": "Remote System Discovery", + "T1518.001": "Software Discovery::Security Software Discovery", + "T1518": "Software Discovery", + "T1497.001": "Virtualization/Sandbox Evasion::System Checks", + "T1082": "System Information Discovery", + "T1614.001": "System Location Discovery::System Language Discovery", + "T1614": "System Location Discovery", + "T1016": "System Network Configuration Discovery", + "T1049": "System Network Connections Discovery", + "T1033": "System Owner/User Discovery", + "T1007": "System Service Discovery", + "T1124": "System Time Discovery", + "T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion", + "T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks", + "T1497": "Virtualization/Sandbox Evasion" + }, + "Lateral Movement": { + "T1550.001": "Use Alternate Authentication Material::Application Access Token", + "T1021.003": "Remote Services::Distributed Component Object Model", + "T1210": "Exploitation of Remote Services", + "T1534": "Internal Spearphishing", + "T1570": "Lateral Tool Transfer", + "T1550.002": "Use Alternate Authentication Material::Pass the Hash", + "T1550.003": "Use Alternate Authentication Material::Pass the Ticket", + "T1563.002": "Remote Service Session Hijacking::RDP Hijacking", + "T1021.001": "Remote Services::Remote Desktop Protocol", + "T1563": "Remote Service Session Hijacking", + "T1021": "Remote Services", + "T1091": "Replication Through Removable Media", + "T1021.002": "Remote Services::SMB/Windows Admin Shares", + "T1021.004": "Remote Services::SSH", + "T1563.001": "Remote Service Session Hijacking::SSH Hijacking", + "T1072": "Software Deployment Tools", + "T1080": "Taint Shared Content", + "T1550": "Use Alternate Authentication Material", + "T1021.005": "Remote Services::VNC", + "T1550.004": "Use Alternate Authentication Material::Web Session Cookie", + "T1021.006": "Remote Services::Windows Remote Management" + }, + "Collection": { + "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning", + "T1557": "Adversary-in-the-Middle", + "T1560": "Archive Collected Data", + "T1560.003": "Archive Collected Data::Archive via Custom Method", + "T1560.002": "Archive Collected Data::Archive via Library", + "T1560.001": "Archive Collected Data::Archive via Utility", + "T1123": "Audio Capture", + "T1119": "Automated Collection", + "T1185": "Browser Session Hijacking", + "T1115": "Clipboard Data", + "T1213.003": "Data from Information Repositories::Code Repositories", + "T1213.001": "Data from Information Repositories::Confluence", + "T1056.004": "Input Capture::Credential API Hooking", + "T1074": "Data Staged", + "T1530": "Data from Cloud Storage Object", + "T1602": "Data from Configuration Repository", + "T1213": "Data from Information Repositories", + "T1005": "Data from Local System", + "T1039": "Data from Network Shared Drive", + "T1025": "Data from Removable Media", + "T1114": "Email Collection", + "T1114.003": "Email Collection::Email Forwarding Rule", + "T1056.002": "Input Capture::GUI Input Capture", + "T1056": "Input Capture", + "T1056.001": "Input Capture::Keylogging", + "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay", + "T1074.001": "Data Staged::Local Data Staging", + "T1114.001": "Email Collection::Local Email Collection", + "T1602.002": "Data from Configuration Repository::Network Device Configuration Dump", + "T1074.002": "Data Staged::Remote Data Staging", + "T1114.002": "Email Collection::Remote Email Collection", + "T1602.001": "Data from Configuration Repository::SNMP (MIB Dump)", + "T1113": "Screen Capture", + "T1213.002": "Data from Information Repositories::Sharepoint", + "T1125": "Video Capture", + "T1056.003": "Input Capture::Web Portal Capture" + }, + "Command and Control": { + "T1071": "Application Layer Protocol", + "T1573.002": "Encrypted Channel::Asymmetric Cryptography", + "T1102.002": "Web Service::Bidirectional Communication", + "T1092": "Communication Through Removable Media", + "T1071.004": "Application Layer Protocol::DNS", + "T1568.003": "Dynamic Resolution::DNS Calculation", + "T1132": "Data Encoding", + "T1001": "Data Obfuscation", + "T1102.001": "Web Service::Dead Drop Resolver", + "T1090.004": "Proxy::Domain Fronting", + "T1568.002": "Dynamic Resolution::Domain Generation Algorithms", + "T1568": "Dynamic Resolution", + "T1573": "Encrypted Channel", + "T1090.002": "Proxy::External Proxy", + "T1008": "Fallback Channels", + "T1568.001": "Dynamic Resolution::Fast Flux DNS", + "T1071.002": "Application Layer Protocol::File Transfer Protocols", + "T1105": "Ingress Tool Transfer", + "T1090.001": "Proxy::Internal Proxy", + "T1001.001": "Data Obfuscation::Junk Data", + "T1071.003": "Application Layer Protocol::Mail Protocols", + "T1104": "Multi-Stage Channels", + "T1090.003": "Proxy::Multi-hop Proxy", + "T1095": "Non-Application Layer Protocol", + "T1132.002": "Data Encoding::Non-Standard Encoding", + "T1571": "Non-Standard Port", + "T1102.003": "Web Service::One-Way Communication", + "T1205.001": "Traffic Signaling::Port Knocking", + "T1001.003": "Data Obfuscation::Protocol Impersonation", + "T1572": "Protocol Tunneling", + "T1090": "Proxy", + "T1219": "Remote Access Software", + "T1132.001": "Data Encoding::Standard Encoding", + "T1001.002": "Data Obfuscation::Steganography", + "T1573.001": "Encrypted Channel::Symmetric Cryptography", + "T1205": "Traffic Signaling", + "T1071.001": "Application Layer Protocol::Web Protocols", + "T1102": "Web Service" + }, + "Exfiltration": { + "T1020": "Automated Exfiltration", + "T1030": "Data Transfer Size Limits", + "T1048": "Exfiltration Over Alternative Protocol", + "T1048.002": "Exfiltration Over Alternative Protocol::Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", + "T1011.001": "Exfiltration Over Other Network Medium::Exfiltration Over Bluetooth", + "T1041": "Exfiltration Over C2 Channel", + "T1011": "Exfiltration Over Other Network Medium", + "T1052": "Exfiltration Over Physical Medium", + "T1048.001": "Exfiltration Over Alternative Protocol::Exfiltration Over Symmetric Encrypted Non-C2 Protocol", + "T1048.003": "Exfiltration Over Alternative Protocol::Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", + "T1567": "Exfiltration Over Web Service", + "T1052.001": "Exfiltration Over Physical Medium::Exfiltration over USB", + "T1567.002": "Exfiltration Over Web Service::Exfiltration to Cloud Storage", + "T1567.001": "Exfiltration Over Web Service::Exfiltration to Code Repository", + "T1029": "Scheduled Transfer", + "T1020.001": "Automated Exfiltration::Traffic Duplication", + "T1537": "Transfer Data to Cloud Account" + }, + "Impact": { + "T1531": "Account Access Removal", + "T1499.003": "Endpoint Denial of Service::Application Exhaustion Flood", + "T1499.004": "Endpoint Denial of Service::Application or System Exploitation", + "T1485": "Data Destruction", + "T1486": "Data Encrypted for Impact", + "T1565": "Data Manipulation", + "T1491": "Defacement", + "T1498.001": "Network Denial of Service::Direct Network Flood", + "T1561.001": "Disk Wipe::Disk Content Wipe", + "T1561.002": "Disk Wipe::Disk Structure Wipe", + "T1561": "Disk Wipe", + "T1499": "Endpoint Denial of Service", + "T1491.002": "Defacement::External Defacement", + "T1495": "Firmware Corruption", + "T1490": "Inhibit System Recovery", + "T1491.001": "Defacement::Internal Defacement", + "T1498": "Network Denial of Service", + "T1499.001": "Endpoint Denial of Service::OS Exhaustion Flood", + "T1498.002": "Network Denial of Service::Reflection Amplification", + "T1496": "Resource Hijacking", + "T1565.003": "Data Manipulation::Runtime Data Manipulation", + "T1499.002": "Endpoint Denial of Service::Service Exhaustion Flood", + "T1489": "Service Stop", + "T1565.001": "Data Manipulation::Stored Data Manipulation", + "T1529": "System Shutdown/Reboot", + "T1565.002": "Data Manipulation::Transmitted Data Manipulation" + } +} \ No newline at end of file diff --git a/scripts/setup-linter-dependencies.py b/scripts/setup-linter-dependencies.py index ced6342b..ff2e4dc0 100644 --- a/scripts/setup-linter-dependencies.py +++ b/scripts/setup-linter-dependencies.py @@ -1,27 +1,23 @@ import json +from os.path import dirname import requests from stix2 import Filter, MemoryStore, AttackPattern class StixExtractor: - def __init__(self, url): - stix_json = requests.get(url).json() + url = "" + + def __init__(self): + if self.url == "": + raise ValueError(f"URL not specified in class {self.__class__.__name__}") + + stix_json = requests.get(self.url).json() self._memory_store = MemoryStore(stix_data=stix_json["objects"]) - def _process_attack_patterns(self, attack_patterns): - return attack_patterns - - def _get_attack_patterns(self): - results = self._memory_store.query([Filter("type", "=", "attack-pattern")]) - return self._process_attack_patterns(results) - - -class AttckStixExtractor(StixExtractor): - def _process_attack_patterns(self, stix_objects) -> list[AttackPattern]: + @staticmethod + def _remove_deprecated_objetcs(stix_objects) -> list[AttackPattern]: """Remove any revoked or deprecated objects from queries made to the data source""" - # Note we use .get() because the property may not be present in the JSON data. The default is False - # if the property is not set. return list( filter( lambda x: x.get("x_mitre_deprecated", False) is False and x.get("revoked", False) is False, @@ -29,50 +25,59 @@ class AttckStixExtractor(StixExtractor): ) ) - def _get_tactics(self): - # Only one matrix -> enterprise att&ck - matrix = self._memory_store.query( - [ - Filter("type", "=", "x-mitre-matrix"), - ] - )[0] - return [self._memory_store.get(tid) for tid in matrix["tactic_refs"]] - def _get_techniques_from_tactic(self, tactic): - return self._memory_store.query( - [ - Filter("type", "=", "attack-pattern"), - Filter("kill_chain_phases.phase_name", "=", tactic["x_mitre_shortname"]), - Filter( - "kill_chain_phases.kill_chain_name", "=", "mitre-attack" - ), # kill chain name for enterprise att&ck - ] +class AttckStixExtractor(StixExtractor): + url = "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json" + + def _get_tactics(self) -> list[dict]: + # Only one matrix for enterprise att&ck framework + matrix = self._remove_deprecated_objetcs( + self._memory_store.query( + [ + Filter("type", "=", "x-mitre-matrix"), + ] + ) + )[0] + return list(map(self._memory_store.get, matrix["tactic_refs"])) + + def _get_techniques_from_tactic(self, tactic: str) -> list[AttackPattern]: + techniques = self._remove_deprecated_objetcs( + self._memory_store.query( + [ + Filter("type", "=", "attack-pattern"), + Filter("kill_chain_phases.phase_name", "=", tactic), + Filter( # kill chain name for enterprise att&ck + "kill_chain_phases.kill_chain_name", "=", "mitre-attack" + ), + ] + ) ) + return techniques - def _get_parent_technique_from_subtechnique(self, subtechnique): - tid = subtechnique["external_references"][0]["external_id"].split(".")[0] - return self._memory_store.query( - [ - Filter("type", "=", "attack-pattern"), - Filter("external_references.external_id", "=", tid), - ] + def _get_parent_technique_from_subtechnique(self, technique: AttackPattern) -> AttackPattern: + sub_id = technique["external_references"][0]["external_id"].split(".")[0] + parent_technique = self._remove_deprecated_objetcs( + self._memory_store.query( + [ + Filter("type", "=", "attack-pattern"), + Filter("external_references.external_id", "=", sub_id), + ] + ) )[0] + return parent_technique - def run(self): - result = {} - tactics = self._get_tactics() - for tactic in tactics: - result[tactic["name"]] = {} - techniques = self._get_techniques_from_tactic(tactic) - for technique in techniques: + def run(self) -> dict[str, dict[str, str]]: + data: dict[str, dict[str, str]] = {} + for tactic in self._get_tactics(): + data[tactic["name"]] = {} + for technique in self._get_techniques_from_tactic(tactic["x_mitre_shortname"]): + tid = technique["external_references"][0]["external_id"] if technique["x_mitre_is_subtechnique"]: parent_technique = self._get_parent_technique_from_subtechnique(technique) - result[tactic["name"]][f"{parent_technique['name']}::{technique['name']}"] = technique[ - "external_references" - ][0]["external_id"] + data[tactic["name"]][tid] = f"{parent_technique['name']}::{technique['name']}" else: - result[tactic["name"]][technique["name"]] = technique["external_references"][0]["external_id"] - return result + data[tactic["name"]][tid] = technique["name"] + return data class MbcStixExtractor(StixExtractor): @@ -80,11 +85,9 @@ class MbcStixExtractor(StixExtractor): def main(): - s = AttckStixExtractor( - "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json" - ) + s = AttckStixExtractor() r = s.run() - with open("attack.json", "w") as jf: + with open(f"{dirname(__file__)}/linter-data.json", "w") as jf: json.dump(r, jf, indent=2) diff --git a/setup.py b/setup.py index 7618a2f4..bb462ee6 100644 --- a/setup.py +++ b/setup.py @@ -85,6 +85,7 @@ setuptools.setup( "types-tabulate==0.8.5", "types-termcolor==1.1.3", "types-psutil==5.8.19", + "types_requests==2.27.3", ], }, zip_safe=False, From 0b487546bbe43433882f00a3c2a822b5c0b988bc Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Sun, 9 Jan 2022 19:04:28 +0100 Subject: [PATCH 05/11] linter: add mbc data extractor and linter --- scripts/lint.py | 54 +- scripts/linter-data.json | 2245 +++++++++++++++++--------- scripts/setup-linter-dependencies.py | 40 +- 3 files changed, 1547 insertions(+), 792 deletions(-) diff --git a/scripts/lint.py b/scripts/lint.py index a01a5660..fb5ab266 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -223,37 +223,47 @@ class ExampleFileDNE(Lint): return not found -class InvalidAttckTechnique(Lint): - name = "att&ck technique is malformed or does not exist" +class InvalidAttckOrMbcTechnique(Lint): + name = "att&ck/mbc entry is malformed or does not exist" recommendation = """ - The att&ck field must respect the following format: - :: [] + The att&ck and mbc fields must respect the following format: + :: [] OR - :::: [] + :::: [] """ def __init__(self): - super(InvalidAttckTechnique, self).__init__() + super(InvalidAttckOrMbcTechnique, self).__init__() # This regex match the format defined in the recommandation attribute - self.reg = re.compile("^([a-zA-Z| ]+)::(.*) \[(T\d+\.?\d*)\]$") - with open("scripts/linter-data.json", "r") as jf: - self.techniques = json.load(jf) + self.reg = re.compile("^([a-zA-Z| ]+)::(.*) \[([A-Za-z0-9.]+)\]$") + with open("scripts/linter-data.json", "r") as fd: + self.data = json.load(fd) + + def _entry_check(self, framework, category, entry, eid): + if category not in self.data[framework].keys(): + self.recommendation = f'Unknown category: "{category}"' + return True + if eid not in self.data[framework][category].keys(): + self.recommendation = f"Unknown entry ID: {eid}" + return True + if self.data[framework][category][eid] != entry: + self.recommendation = ( + f'{eid} should be associated to entry "{self.data[framework][category][eid]}" instead of "{entry}"' + ) + return True + return False def check_rule(self, ctx: Context, rule: Rule): - if "att&ck" in rule.meta.keys(): - for r in rule.meta["att&ck"]: - m = self.reg.match(r) - if m: - tactic, technique, tid = m.group(1, 2, 3) - if tactic not in self.techniques.keys(): - self.recommendation = f'Unknown tactic: "{tactic}"' + for framework in ["mbc"]: + if framework in rule.meta.keys(): + for r in rule.meta[framework]: + m = self.reg.match(r) + if m is None: return True - if tid not in self.techniques[tactic].keys(): - self.recommendation = f"Unknown technique ID: {tid}" - return True - if self.techniques[tactic][tid] != technique: - self.recommendation = f'{tid} should be associated to technique "{self.techniques[tactic][tid]}" instead of "{technique}"' + + args = m.group(1, 2, 3) + if self._entry_check(framework, *args): return True return False @@ -684,7 +694,7 @@ META_LINTS = ( UnusualMetaField(), LibRuleNotInLibDirectory(), LibRuleHasNamespace(), - InvalidAttckTechnique(), + InvalidAttckOrMbcTechnique(), ) diff --git a/scripts/linter-data.json b/scripts/linter-data.json index ee0a26a6..5a06e519 100644 --- a/scripts/linter-data.json +++ b/scripts/linter-data.json @@ -1,761 +1,1492 @@ { - "Reconnaissance": { - "T1595": "Active Scanning", - "T1591.002": "Gather Victim Org Information::Business Relationships", - "T1596.004": "Search Open Technical Databases::CDNs", - "T1592.004": "Gather Victim Host Information::Client Configurations", - "T1589.001": "Gather Victim Identity Information::Credentials", - "T1590.002": "Gather Victim Network Information::DNS", - "T1596.001": "Search Open Technical Databases::DNS/Passive DNS", - "T1591.001": "Gather Victim Org Information::Determine Physical Locations", - "T1596.003": "Search Open Technical Databases::Digital Certificates", - "T1590.001": "Gather Victim Network Information::Domain Properties", - "T1589.002": "Gather Victim Identity Information::Email Addresses", - "T1589.003": "Gather Victim Identity Information::Employee Names", - "T1592.003": "Gather Victim Host Information::Firmware", - "T1592": "Gather Victim Host Information", - "T1589": "Gather Victim Identity Information", - "T1590": "Gather Victim Network Information", - "T1591": "Gather Victim Org Information", - "T1592.001": "Gather Victim Host Information::Hardware", - "T1590.005": "Gather Victim Network Information::IP Addresses", - "T1591.003": "Gather Victim Org Information::Identify Business Tempo", - "T1591.004": "Gather Victim Org Information::Identify Roles", - "T1590.006": "Gather Victim Network Information::Network Security Appliances", - "T1590.004": "Gather Victim Network Information::Network Topology", - "T1590.003": "Gather Victim Network Information::Network Trust Dependencies", - "T1598": "Phishing for Information", - "T1597.002": "Search Closed Sources::Purchase Technical Data", - "T1596.005": "Search Open Technical Databases::Scan Databases", - "T1595.001": "Active Scanning::Scanning IP Blocks", - "T1597": "Search Closed Sources", - "T1593.002": "Search Open Websites/Domains::Search Engines", - "T1596": "Search Open Technical Databases", - "T1593": "Search Open Websites/Domains", - "T1594": "Search Victim-Owned Websites", - "T1593.001": "Search Open Websites/Domains::Social Media", - "T1592.002": "Gather Victim Host Information::Software", - "T1598.002": "Phishing for Information::Spearphishing Attachment", - "T1598.003": "Phishing for Information::Spearphishing Link", - "T1598.001": "Phishing for Information::Spearphishing Service", - "T1597.001": "Search Closed Sources::Threat Intel Vendors", - "T1595.002": "Active Scanning::Vulnerability Scanning", - "T1596.002": "Search Open Technical Databases::WHOIS" + "att&ck": { + "Reconnaissance": { + "T1595": "Active Scanning", + "T1591.002": "Gather Victim Org Information::Business Relationships", + "T1596.004": "Search Open Technical Databases::CDNs", + "T1592.004": "Gather Victim Host Information::Client Configurations", + "T1589.001": "Gather Victim Identity Information::Credentials", + "T1590.002": "Gather Victim Network Information::DNS", + "T1596.001": "Search Open Technical Databases::DNS/Passive DNS", + "T1591.001": "Gather Victim Org Information::Determine Physical Locations", + "T1596.003": "Search Open Technical Databases::Digital Certificates", + "T1590.001": "Gather Victim Network Information::Domain Properties", + "T1589.002": "Gather Victim Identity Information::Email Addresses", + "T1589.003": "Gather Victim Identity Information::Employee Names", + "T1592.003": "Gather Victim Host Information::Firmware", + "T1592": "Gather Victim Host Information", + "T1589": "Gather Victim Identity Information", + "T1590": "Gather Victim Network Information", + "T1591": "Gather Victim Org Information", + "T1592.001": "Gather Victim Host Information::Hardware", + "T1590.005": "Gather Victim Network Information::IP Addresses", + "T1591.003": "Gather Victim Org Information::Identify Business Tempo", + "T1591.004": "Gather Victim Org Information::Identify Roles", + "T1590.006": "Gather Victim Network Information::Network Security Appliances", + "T1590.004": "Gather Victim Network Information::Network Topology", + "T1590.003": "Gather Victim Network Information::Network Trust Dependencies", + "T1598": "Phishing for Information", + "T1597.002": "Search Closed Sources::Purchase Technical Data", + "T1596.005": "Search Open Technical Databases::Scan Databases", + "T1595.001": "Active Scanning::Scanning IP Blocks", + "T1597": "Search Closed Sources", + "T1593.002": "Search Open Websites/Domains::Search Engines", + "T1596": "Search Open Technical Databases", + "T1593": "Search Open Websites/Domains", + "T1594": "Search Victim-Owned Websites", + "T1593.001": "Search Open Websites/Domains::Social Media", + "T1592.002": "Gather Victim Host Information::Software", + "T1598.002": "Phishing for Information::Spearphishing Attachment", + "T1598.003": "Phishing for Information::Spearphishing Link", + "T1598.001": "Phishing for Information::Spearphishing Service", + "T1597.001": "Search Closed Sources::Threat Intel Vendors", + "T1595.002": "Active Scanning::Vulnerability Scanning", + "T1596.002": "Search Open Technical Databases::WHOIS" + }, + "Resource Development": { + "T1583": "Acquire Infrastructure", + "T1583.005": "Acquire Infrastructure::Botnet", + "T1584.005": "Compromise Infrastructure::Botnet", + "T1587.002": "Develop Capabilities::Code Signing Certificates", + "T1588.003": "Obtain Capabilities::Code Signing Certificates", + "T1586": "Compromise Accounts", + "T1584": "Compromise Infrastructure", + "T1583.002": "Acquire Infrastructure::DNS Server", + "T1584.002": "Compromise Infrastructure::DNS Server", + "T1587": "Develop Capabilities", + "T1587.003": "Develop Capabilities::Digital Certificates", + "T1588.004": "Obtain Capabilities::Digital Certificates", + "T1583.001": "Acquire Infrastructure::Domains", + "T1584.001": "Compromise Infrastructure::Domains", + "T1608.004": "Stage Capabilities::Drive-by Target", + "T1585.002": "Establish Accounts::Email Accounts", + "T1586.002": "Compromise Accounts::Email Accounts", + "T1585": "Establish Accounts", + "T1587.004": "Develop Capabilities::Exploits", + "T1588.005": "Obtain Capabilities::Exploits", + "T1608.003": "Stage Capabilities::Install Digital Certificate", + "T1608.005": "Stage Capabilities::Link Target", + "T1587.001": "Develop Capabilities::Malware", + "T1588.001": "Obtain Capabilities::Malware", + "T1588": "Obtain Capabilities", + "T1583.004": "Acquire Infrastructure::Server", + "T1584.004": "Compromise Infrastructure::Server", + "T1585.001": "Establish Accounts::Social Media Accounts", + "T1586.001": "Compromise Accounts::Social Media Accounts", + "T1608": "Stage Capabilities", + "T1588.002": "Obtain Capabilities::Tool", + "T1608.001": "Stage Capabilities::Upload Malware", + "T1608.002": "Stage Capabilities::Upload Tool", + "T1583.003": "Acquire Infrastructure::Virtual Private Server", + "T1584.003": "Compromise Infrastructure::Virtual Private Server", + "T1588.006": "Obtain Capabilities::Vulnerabilities", + "T1583.006": "Acquire Infrastructure::Web Services", + "T1584.006": "Compromise Infrastructure::Web Services" + }, + "Initial Access": { + "T1078.004": "Valid Accounts::Cloud Accounts", + "T1195.003": "Supply Chain Compromise::Compromise Hardware Supply Chain", + "T1195.001": "Supply Chain Compromise::Compromise Software Dependencies and Development Tools", + "T1195.002": "Supply Chain Compromise::Compromise Software Supply Chain", + "T1078.001": "Valid Accounts::Default Accounts", + "T1078.002": "Valid Accounts::Domain Accounts", + "T1189": "Drive-by Compromise", + "T1190": "Exploit Public-Facing Application", + "T1133": "External Remote Services", + "T1200": "Hardware Additions", + "T1078.003": "Valid Accounts::Local Accounts", + "T1566": "Phishing", + "T1091": "Replication Through Removable Media", + "T1566.001": "Phishing::Spearphishing Attachment", + "T1566.002": "Phishing::Spearphishing Link", + "T1566.003": "Phishing::Spearphishing via Service", + "T1195": "Supply Chain Compromise", + "T1199": "Trusted Relationship", + "T1078": "Valid Accounts" + }, + "Execution": { + "T1059.002": "Command and Scripting Interpreter::AppleScript", + "T1053.001": "Scheduled Task/Job::At (Linux)", + "T1053.002": "Scheduled Task/Job::At (Windows)", + "T1059": "Command and Scripting Interpreter", + "T1559.001": "Inter-Process Communication::Component Object Model", + "T1609": "Container Administration Command", + "T1053.007": "Scheduled Task/Job::Container Orchestration Job", + "T1053.003": "Scheduled Task/Job::Cron", + "T1610": "Deploy Container", + "T1559.002": "Inter-Process Communication::Dynamic Data Exchange", + "T1203": "Exploitation for Client Execution", + "T1559": "Inter-Process Communication", + "T1059.007": "Command and Scripting Interpreter::JavaScript", + "T1569.001": "System Services::Launchctl", + "T1204.002": "User Execution::Malicious File", + "T1204.003": "User Execution::Malicious Image", + "T1204.001": "User Execution::Malicious Link", + "T1106": "Native API", + "T1059.008": "Command and Scripting Interpreter::Network Device CLI", + "T1059.001": "Command and Scripting Interpreter::PowerShell", + "T1059.006": "Command and Scripting Interpreter::Python", + "T1053.005": "Scheduled Task/Job::Scheduled Task", + "T1053": "Scheduled Task/Job", + "T1569.002": "System Services::Service Execution", + "T1129": "Shared Modules", + "T1072": "Software Deployment Tools", + "T1569": "System Services", + "T1053.006": "Scheduled Task/Job::Systemd Timers", + "T1059.004": "Command and Scripting Interpreter::Unix Shell", + "T1204": "User Execution", + "T1059.005": "Command and Scripting Interpreter::Visual Basic", + "T1059.003": "Command and Scripting Interpreter::Windows Command Shell", + "T1047": "Windows Management Instrumentation" + }, + "Persistence": { + "T1546.008": "Event Triggered Execution::Accessibility Features", + "T1098": "Account Manipulation", + "T1547.014": "Boot or Logon Autostart Execution::Active Setup", + "T1098.003": "Account Manipulation::Add Office 365 Global Administrator Role", + "T1137.006": "Office Application Startup::Add-ins", + "T1098.001": "Account Manipulation::Additional Cloud Credentials", + "T1546.009": "Event Triggered Execution::AppCert DLLs", + "T1546.010": "Event Triggered Execution::AppInit DLLs", + "T1546.011": "Event Triggered Execution::Application Shimming", + "T1053.001": "Scheduled Task/Job::At (Linux)", + "T1053.002": "Scheduled Task/Job::At (Windows)", + "T1547.002": "Boot or Logon Autostart Execution::Authentication Package", + "T1197": "BITS Jobs", + "T1547": "Boot or Logon Autostart Execution", + "T1037": "Boot or Logon Initialization Scripts", + "T1542.003": "Pre-OS Boot::Bootkit", + "T1176": "Browser Extensions", + "T1574.012": "Hijack Execution Flow::COR_PROFILER", + "T1546.001": "Event Triggered Execution::Change Default File Association", + "T1136.003": "Create Account::Cloud Account", + "T1078.004": "Valid Accounts::Cloud Accounts", + "T1542.002": "Pre-OS Boot::Component Firmware", + "T1546.015": "Event Triggered Execution::Component Object Model Hijacking", + "T1554": "Compromise Client Software Binary", + "T1053.007": "Scheduled Task/Job::Container Orchestration Job", + "T1136": "Create Account", + "T1543": "Create or Modify System Process", + "T1053.003": "Scheduled Task/Job::Cron", + "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", + "T1574.002": "Hijack Execution Flow::DLL Side-Loading", + "T1078.001": "Valid Accounts::Default Accounts", + "T1136.002": "Create Account::Domain Account", + "T1078.002": "Valid Accounts::Domain Accounts", + "T1556.001": "Modify Authentication Process::Domain Controller Authentication", + "T1574.004": "Hijack Execution Flow::Dylib Hijacking", + "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", + "T1546.014": "Event Triggered Execution::Emond", + "T1546": "Event Triggered Execution", + "T1098.002": "Account Manipulation::Exchange Email Delegate Permissions", + "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", + "T1133": "External Remote Services", + "T1574": "Hijack Execution Flow", + "T1505.004": "Server Software Component::IIS Components", + "T1546.012": "Event Triggered Execution::Image File Execution Options Injection", + "T1525": "Implant Internal Image", + "T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions", + "T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition", + "T1547.008": "Boot or Logon Autostart Execution::LSASS Driver", + "T1543.001": "Create or Modify System Process::Launch Agent", + "T1543.004": "Create or Modify System Process::Launch Daemon", + "T1136.001": "Create Account::Local Account", + "T1078.003": "Valid Accounts::Local Accounts", + "T1547.015": "Boot or Logon Autostart Execution::Login Items", + "T1037.002": "Boot or Logon Initialization Scripts::Logon Script (Mac)", + "T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)", + "T1556": "Modify Authentication Process", + "T1546.007": "Event Triggered Execution::Netsh Helper DLL", + "T1556.004": "Modify Authentication Process::Network Device Authentication", + "T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script", + "T1137": "Office Application Startup", + "T1137.001": "Office Application Startup::Office Template Macros", + "T1137.002": "Office Application Startup::Office Test", + "T1137.003": "Office Application Startup::Outlook Forms", + "T1137.004": "Office Application Startup::Outlook Home Page", + "T1137.005": "Office Application Startup::Outlook Rules", + "T1556.002": "Modify Authentication Process::Password Filter DLL", + "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", + "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", + "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", + "T1547.011": "Boot or Logon Autostart Execution::Plist Modification", + "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", + "T1205.001": "Traffic Signaling::Port Knocking", + "T1547.010": "Boot or Logon Autostart Execution::Port Monitors", + "T1546.013": "Event Triggered Execution::PowerShell Profile", + "T1542": "Pre-OS Boot", + "T1547.012": "Boot or Logon Autostart Execution::Print Processors", + "T1037.004": "Boot or Logon Initialization Scripts::RC Scripts", + "T1542.004": "Pre-OS Boot::ROMMONkit", + "T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications", + "T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder", + "T1505.001": "Server Software Component::SQL Stored Procedures", + "T1098.004": "Account Manipulation::SSH Authorized Keys", + "T1053.005": "Scheduled Task/Job::Scheduled Task", + "T1053": "Scheduled Task/Job", + "T1546.002": "Event Triggered Execution::Screensaver", + "T1547.005": "Boot or Logon Autostart Execution::Security Support Provider", + "T1505": "Server Software Component", + "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", + "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", + "T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification", + "T1037.005": "Boot or Logon Initialization Scripts::Startup Items", + "T1542.001": "Pre-OS Boot::System Firmware", + "T1543.002": "Create or Modify System Process::Systemd Service", + "T1053.006": "Scheduled Task/Job::Systemd Timers", + "T1542.005": "Pre-OS Boot::TFTP Boot", + "T1547.003": "Boot or Logon Autostart Execution::Time Providers", + "T1205": "Traffic Signaling", + "T1505.002": "Server Software Component::Transport Agent", + "T1546.005": "Event Triggered Execution::Trap", + "T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification", + "T1078": "Valid Accounts", + "T1505.003": "Server Software Component::Web Shell", + "T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription", + "T1543.003": "Create or Modify System Process::Windows Service", + "T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL", + "T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries" + }, + "Privilege Escalation": { + "T1548": "Abuse Elevation Control Mechanism", + "T1134": "Access Token Manipulation", + "T1546.008": "Event Triggered Execution::Accessibility Features", + "T1547.014": "Boot or Logon Autostart Execution::Active Setup", + "T1546.009": "Event Triggered Execution::AppCert DLLs", + "T1546.010": "Event Triggered Execution::AppInit DLLs", + "T1546.011": "Event Triggered Execution::Application Shimming", + "T1055.004": "Process Injection::Asynchronous Procedure Call", + "T1053.001": "Scheduled Task/Job::At (Linux)", + "T1053.002": "Scheduled Task/Job::At (Windows)", + "T1547.002": "Boot or Logon Autostart Execution::Authentication Package", + "T1547": "Boot or Logon Autostart Execution", + "T1037": "Boot or Logon Initialization Scripts", + "T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control", + "T1574.012": "Hijack Execution Flow::COR_PROFILER", + "T1546.001": "Event Triggered Execution::Change Default File Association", + "T1078.004": "Valid Accounts::Cloud Accounts", + "T1546.015": "Event Triggered Execution::Component Object Model Hijacking", + "T1053.007": "Scheduled Task/Job::Container Orchestration Job", + "T1134.002": "Access Token Manipulation::Create Process with Token", + "T1543": "Create or Modify System Process", + "T1053.003": "Scheduled Task/Job::Cron", + "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", + "T1574.002": "Hijack Execution Flow::DLL Side-Loading", + "T1078.001": "Valid Accounts::Default Accounts", + "T1078.002": "Valid Accounts::Domain Accounts", + "T1484": "Domain Policy Modification", + "T1484.002": "Domain Policy Modification::Domain Trust Modification", + "T1574.004": "Hijack Execution Flow::Dylib Hijacking", + "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", + "T1055.001": "Process Injection::Dynamic-link Library Injection", + "T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt", + "T1546.014": "Event Triggered Execution::Emond", + "T1611": "Escape to Host", + "T1546": "Event Triggered Execution", + "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", + "T1068": "Exploitation for Privilege Escalation", + "T1055.011": "Process Injection::Extra Window Memory Injection", + "T1484.001": "Domain Policy Modification::Group Policy Modification", + "T1574": "Hijack Execution Flow", + "T1546.012": "Event Triggered Execution::Image File Execution Options Injection", + "T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions", + "T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition", + "T1547.008": "Boot or Logon Autostart Execution::LSASS Driver", + "T1543.001": "Create or Modify System Process::Launch Agent", + "T1543.004": "Create or Modify System Process::Launch Daemon", + "T1078.003": "Valid Accounts::Local Accounts", + "T1547.015": "Boot or Logon Autostart Execution::Login Items", + "T1037.002": "Boot or Logon Initialization Scripts::Logon Script (Mac)", + "T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)", + "T1134.003": "Access Token Manipulation::Make and Impersonate Token", + "T1546.007": "Event Triggered Execution::Netsh Helper DLL", + "T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script", + "T1134.004": "Access Token Manipulation::Parent PID Spoofing", + "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", + "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", + "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", + "T1547.011": "Boot or Logon Autostart Execution::Plist Modification", + "T1547.010": "Boot or Logon Autostart Execution::Port Monitors", + "T1055.002": "Process Injection::Portable Executable Injection", + "T1546.013": "Event Triggered Execution::PowerShell Profile", + "T1547.012": "Boot or Logon Autostart Execution::Print Processors", + "T1055.009": "Process Injection::Proc Memory", + "T1055.013": "Process Injection::Process Doppelg\u00e4nging", + "T1055.012": "Process Injection::Process Hollowing", + "T1055": "Process Injection", + "T1055.008": "Process Injection::Ptrace System Calls", + "T1037.004": "Boot or Logon Initialization Scripts::RC Scripts", + "T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications", + "T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder", + "T1134.005": "Access Token Manipulation::SID-History Injection", + "T1053.005": "Scheduled Task/Job::Scheduled Task", + "T1053": "Scheduled Task/Job", + "T1546.002": "Event Triggered Execution::Screensaver", + "T1547.005": "Boot or Logon Autostart Execution::Security Support Provider", + "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", + "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", + "T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid", + "T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification", + "T1037.005": "Boot or Logon Initialization Scripts::Startup Items", + "T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching", + "T1543.002": "Create or Modify System Process::Systemd Service", + "T1053.006": "Scheduled Task/Job::Systemd Timers", + "T1055.003": "Process Injection::Thread Execution Hijacking", + "T1055.005": "Process Injection::Thread Local Storage", + "T1547.003": "Boot or Logon Autostart Execution::Time Providers", + "T1134.001": "Access Token Manipulation::Token Impersonation/Theft", + "T1546.005": "Event Triggered Execution::Trap", + "T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification", + "T1055.014": "Process Injection::VDSO Hijacking", + "T1078": "Valid Accounts", + "T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription", + "T1543.003": "Create or Modify System Process::Windows Service", + "T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL", + "T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries" + }, + "Defense Evasion": { + "T1548": "Abuse Elevation Control Mechanism", + "T1134": "Access Token Manipulation", + "T1550.001": "Use Alternate Authentication Material::Application Access Token", + "T1055.004": "Process Injection::Asynchronous Procedure Call", + "T1197": "BITS Jobs", + "T1027.001": "Obfuscated Files or Information::Binary Padding", + "T1542.003": "Pre-OS Boot::Bootkit", + "T1612": "Build Image on Host", + "T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control", + "T1218.003": "Signed Binary Proxy Execution::CMSTP", + "T1574.012": "Hijack Execution Flow::COR_PROFILER", + "T1070.003": "Indicator Removal on Host::Clear Command History", + "T1070.002": "Indicator Removal on Host::Clear Linux or Mac System Logs", + "T1070.001": "Indicator Removal on Host::Clear Windows Event Logs", + "T1078.004": "Valid Accounts::Cloud Accounts", + "T1553.002": "Subvert Trust Controls::Code Signing", + "T1553.006": "Subvert Trust Controls::Code Signing Policy Modification", + "T1027.004": "Obfuscated Files or Information::Compile After Delivery", + "T1218.001": "Signed Binary Proxy Execution::Compiled HTML File", + "T1542.002": "Pre-OS Boot::Component Firmware", + "T1218.002": "Signed Binary Proxy Execution::Control Panel", + "T1578.002": "Modify Cloud Compute Infrastructure::Create Cloud Instance", + "T1134.002": "Access Token Manipulation::Create Process with Token", + "T1578.001": "Modify Cloud Compute Infrastructure::Create Snapshot", + "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", + "T1574.002": "Hijack Execution Flow::DLL Side-Loading", + "T1078.001": "Valid Accounts::Default Accounts", + "T1578.003": "Modify Cloud Compute Infrastructure::Delete Cloud Instance", + "T1140": "Deobfuscate/Decode Files or Information", + "T1610": "Deploy Container", + "T1006": "Direct Volume Access", + "T1562.008": "Impair Defenses::Disable Cloud Logs", + "T1600.002": "Weaken Encryption::Disable Crypto Hardware", + "T1562.002": "Impair Defenses::Disable Windows Event Logging", + "T1562.007": "Impair Defenses::Disable or Modify Cloud Firewall", + "T1562.004": "Impair Defenses::Disable or Modify System Firewall", + "T1562.001": "Impair Defenses::Disable or Modify Tools", + "T1078.002": "Valid Accounts::Domain Accounts", + "T1556.001": "Modify Authentication Process::Domain Controller Authentication", + "T1484": "Domain Policy Modification", + "T1484.002": "Domain Policy Modification::Domain Trust Modification", + "T1036.007": "Masquerading::Double File Extension", + "T1562.010": "Impair Defenses::Downgrade Attack", + "T1601.002": "Modify System Image::Downgrade System Image", + "T1574.004": "Hijack Execution Flow::Dylib Hijacking", + "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", + "T1055.001": "Process Injection::Dynamic-link Library Injection", + "T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt", + "T1564.008": "Hide Artifacts::Email Hiding Rules", + "T1480.001": "Execution Guardrails::Environmental Keying", + "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", + "T1480": "Execution Guardrails", + "T1211": "Exploitation for Defense Evasion", + "T1055.011": "Process Injection::Extra Window Memory Injection", + "T1070.004": "Indicator Removal on Host::File Deletion", + "T1222": "File and Directory Permissions Modification", + "T1553.001": "Subvert Trust Controls::Gatekeeper Bypass", + "T1484.001": "Domain Policy Modification::Group Policy Modification", + "T1027.006": "Obfuscated Files or Information::HTML Smuggling", + "T1564.005": "Hide Artifacts::Hidden File System", + "T1564.001": "Hide Artifacts::Hidden Files and Directories", + "T1564.002": "Hide Artifacts::Hidden Users", + "T1564.003": "Hide Artifacts::Hidden Window", + "T1564": "Hide Artifacts", + "T1574": "Hijack Execution Flow", + "T1562.003": "Impair Defenses::Impair Command History Logging", + "T1562": "Impair Defenses", + "T1562.006": "Impair Defenses::Indicator Blocking", + "T1027.005": "Obfuscated Files or Information::Indicator Removal from Tools", + "T1070": "Indicator Removal on Host", + "T1202": "Indirect Command Execution", + "T1553.004": "Subvert Trust Controls::Install Root Certificate", + "T1218.004": "Signed Binary Proxy Execution::InstallUtil", + "T1036.001": "Masquerading::Invalid Code Signature", + "T1222.002": "File and Directory Permissions Modification::Linux and Mac File and Directory Permissions Modification", + "T1078.003": "Valid Accounts::Local Accounts", + "T1218.014": "Signed Binary Proxy Execution::MMC", + "T1127.001": "Trusted Developer Utilities Proxy Execution::MSBuild", + "T1134.003": "Access Token Manipulation::Make and Impersonate Token", + "T1553.005": "Subvert Trust Controls::Mark-of-the-Web Bypass", + "T1036.004": "Masquerading::Masquerade Task or Service", + "T1036": "Masquerading", + "T1036.005": "Masquerading::Match Legitimate Name or Location", + "T1218.013": "Signed Binary Proxy Execution::Mavinject", + "T1556": "Modify Authentication Process", + "T1578": "Modify Cloud Compute Infrastructure", + "T1112": "Modify Registry", + "T1601": "Modify System Image", + "T1218.005": "Signed Binary Proxy Execution::Mshta", + "T1218.007": "Signed Binary Proxy Execution::Msiexec", + "T1564.004": "Hide Artifacts::NTFS File Attributes", + "T1599.001": "Network Boundary Bridging::Network Address Translation Traversal", + "T1599": "Network Boundary Bridging", + "T1556.004": "Modify Authentication Process::Network Device Authentication", + "T1070.005": "Indicator Removal on Host::Network Share Connection Removal", + "T1027": "Obfuscated Files or Information", + "T1218.008": "Signed Binary Proxy Execution::Odbcconf", + "T1134.004": "Access Token Manipulation::Parent PID Spoofing", + "T1550.002": "Use Alternate Authentication Material::Pass the Hash", + "T1550.003": "Use Alternate Authentication Material::Pass the Ticket", + "T1556.002": "Modify Authentication Process::Password Filter DLL", + "T1601.001": "Modify System Image::Patch System Image", + "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", + "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", + "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", + "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", + "T1205.001": "Traffic Signaling::Port Knocking", + "T1055.002": "Process Injection::Portable Executable Injection", + "T1542": "Pre-OS Boot", + "T1055.009": "Process Injection::Proc Memory", + "T1055.013": "Process Injection::Process Doppelg\u00e4nging", + "T1055.012": "Process Injection::Process Hollowing", + "T1055": "Process Injection", + "T1055.008": "Process Injection::Ptrace System Calls", + "T1216.001": "Signed Script Proxy Execution::PubPrn", + "T1542.004": "Pre-OS Boot::ROMMONkit", + "T1600.001": "Weaken Encryption::Reduce Key Space", + "T1620": "Reflective Code Loading", + "T1218.009": "Signed Binary Proxy Execution::Regsvcs/Regasm", + "T1218.010": "Signed Binary Proxy Execution::Regsvr32", + "T1036.003": "Masquerading::Rename System Utilities", + "T1564.009": "Hide Artifacts::Resource Forking", + "T1578.004": "Modify Cloud Compute Infrastructure::Revert Cloud Instance", + "T1036.002": "Masquerading::Right-to-Left Override", + "T1207": "Rogue Domain Controller", + "T1014": "Rootkit", + "T1564.006": "Hide Artifacts::Run Virtual Instance", + "T1218.011": "Signed Binary Proxy Execution::Rundll32", + "T1134.005": "Access Token Manipulation::SID-History Injection", + "T1553.003": "Subvert Trust Controls::SIP and Trust Provider Hijacking", + "T1562.009": "Impair Defenses::Safe Mode Boot", + "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", + "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", + "T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid", + "T1218": "Signed Binary Proxy Execution", + "T1216": "Signed Script Proxy Execution", + "T1027.002": "Obfuscated Files or Information::Software Packing", + "T1036.006": "Masquerading::Space after Filename", + "T1027.003": "Obfuscated Files or Information::Steganography", + "T1553": "Subvert Trust Controls", + "T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching", + "T1497.001": "Virtualization/Sandbox Evasion::System Checks", + "T1542.001": "Pre-OS Boot::System Firmware", + "T1542.005": "Pre-OS Boot::TFTP Boot", + "T1221": "Template Injection", + "T1055.003": "Process Injection::Thread Execution Hijacking", + "T1055.005": "Process Injection::Thread Local Storage", + "T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion", + "T1070.006": "Indicator Removal on Host::Timestomp", + "T1134.001": "Access Token Manipulation::Token Impersonation/Theft", + "T1205": "Traffic Signaling", + "T1127": "Trusted Developer Utilities Proxy Execution", + "T1535": "Unused/Unsupported Cloud Regions", + "T1550": "Use Alternate Authentication Material", + "T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks", + "T1564.007": "Hide Artifacts::VBA Stomping", + "T1055.014": "Process Injection::VDSO Hijacking", + "T1078": "Valid Accounts", + "T1218.012": "Signed Binary Proxy Execution::Verclsid", + "T1497": "Virtualization/Sandbox Evasion", + "T1600": "Weaken Encryption", + "T1550.004": "Use Alternate Authentication Material::Web Session Cookie", + "T1222.001": "File and Directory Permissions Modification::Windows File and Directory Permissions Modification", + "T1220": "XSL Script Processing" + }, + "Credential Access": { + "T1003.008": "OS Credential Dumping::/etc/passwd and /etc/shadow", + "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning", + "T1558.004": "Steal or Forge Kerberos Tickets::AS-REP Roasting", + "T1557": "Adversary-in-the-Middle", + "T1552.003": "Unsecured Credentials::Bash History", + "T1110": "Brute Force", + "T1003.005": "OS Credential Dumping::Cached Domain Credentials", + "T1552.005": "Unsecured Credentials::Cloud Instance Metadata API", + "T1552.007": "Unsecured Credentials::Container API", + "T1056.004": "Input Capture::Credential API Hooking", + "T1110.004": "Brute Force::Credential Stuffing", + "T1552.001": "Unsecured Credentials::Credentials In Files", + "T1555": "Credentials from Password Stores", + "T1555.003": "Credentials from Password Stores::Credentials from Web Browsers", + "T1552.002": "Unsecured Credentials::Credentials in Registry", + "T1003.006": "OS Credential Dumping::DCSync", + "T1556.001": "Modify Authentication Process::Domain Controller Authentication", + "T1212": "Exploitation for Credential Access", + "T1187": "Forced Authentication", + "T1606": "Forge Web Credentials", + "T1056.002": "Input Capture::GUI Input Capture", + "T1558.001": "Steal or Forge Kerberos Tickets::Golden Ticket", + "T1552.006": "Unsecured Credentials::Group Policy Preferences", + "T1056": "Input Capture", + "T1558.003": "Steal or Forge Kerberos Tickets::Kerberoasting", + "T1555.001": "Credentials from Password Stores::Keychain", + "T1056.001": "Input Capture::Keylogging", + "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay", + "T1003.004": "OS Credential Dumping::LSA Secrets", + "T1003.001": "OS Credential Dumping::LSASS Memory", + "T1556": "Modify Authentication Process", + "T1003.003": "OS Credential Dumping::NTDS", + "T1556.004": "Modify Authentication Process::Network Device Authentication", + "T1040": "Network Sniffing", + "T1003": "OS Credential Dumping", + "T1110.002": "Brute Force::Password Cracking", + "T1556.002": "Modify Authentication Process::Password Filter DLL", + "T1110.001": "Brute Force::Password Guessing", + "T1555.005": "Credentials from Password Stores::Password Managers", + "T1110.003": "Brute Force::Password Spraying", + "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", + "T1552.004": "Unsecured Credentials::Private Keys", + "T1003.007": "OS Credential Dumping::Proc Filesystem", + "T1606.002": "Forge Web Credentials::SAML Tokens", + "T1003.002": "OS Credential Dumping::Security Account Manager", + "T1555.002": "Credentials from Password Stores::Securityd Memory", + "T1558.002": "Steal or Forge Kerberos Tickets::Silver Ticket", + "T1528": "Steal Application Access Token", + "T1539": "Steal Web Session Cookie", + "T1558": "Steal or Forge Kerberos Tickets", + "T1111": "Two-Factor Authentication Interception", + "T1552": "Unsecured Credentials", + "T1606.001": "Forge Web Credentials::Web Cookies", + "T1056.003": "Input Capture::Web Portal Capture", + "T1555.004": "Credentials from Password Stores::Windows Credential Manager" + }, + "Discovery": { + "T1087": "Account Discovery", + "T1010": "Application Window Discovery", + "T1217": "Browser Bookmark Discovery", + "T1087.004": "Account Discovery::Cloud Account", + "T1069.003": "Permission Groups Discovery::Cloud Groups", + "T1580": "Cloud Infrastructure Discovery", + "T1538": "Cloud Service Dashboard", + "T1526": "Cloud Service Discovery", + "T1619": "Cloud Storage Object Discovery", + "T1613": "Container and Resource Discovery", + "T1087.002": "Account Discovery::Domain Account", + "T1069.002": "Permission Groups Discovery::Domain Groups", + "T1482": "Domain Trust Discovery", + "T1087.003": "Account Discovery::Email Account", + "T1083": "File and Directory Discovery", + "T1615": "Group Policy Discovery", + "T1016.001": "System Network Configuration Discovery::Internet Connection Discovery", + "T1087.001": "Account Discovery::Local Account", + "T1069.001": "Permission Groups Discovery::Local Groups", + "T1046": "Network Service Scanning", + "T1135": "Network Share Discovery", + "T1040": "Network Sniffing", + "T1201": "Password Policy Discovery", + "T1120": "Peripheral Device Discovery", + "T1069": "Permission Groups Discovery", + "T1057": "Process Discovery", + "T1012": "Query Registry", + "T1018": "Remote System Discovery", + "T1518.001": "Software Discovery::Security Software Discovery", + "T1518": "Software Discovery", + "T1497.001": "Virtualization/Sandbox Evasion::System Checks", + "T1082": "System Information Discovery", + "T1614.001": "System Location Discovery::System Language Discovery", + "T1614": "System Location Discovery", + "T1016": "System Network Configuration Discovery", + "T1049": "System Network Connections Discovery", + "T1033": "System Owner/User Discovery", + "T1007": "System Service Discovery", + "T1124": "System Time Discovery", + "T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion", + "T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks", + "T1497": "Virtualization/Sandbox Evasion" + }, + "Lateral Movement": { + "T1550.001": "Use Alternate Authentication Material::Application Access Token", + "T1021.003": "Remote Services::Distributed Component Object Model", + "T1210": "Exploitation of Remote Services", + "T1534": "Internal Spearphishing", + "T1570": "Lateral Tool Transfer", + "T1550.002": "Use Alternate Authentication Material::Pass the Hash", + "T1550.003": "Use Alternate Authentication Material::Pass the Ticket", + "T1563.002": "Remote Service Session Hijacking::RDP Hijacking", + "T1021.001": "Remote Services::Remote Desktop Protocol", + "T1563": "Remote Service Session Hijacking", + "T1021": "Remote Services", + "T1091": "Replication Through Removable Media", + "T1021.002": "Remote Services::SMB/Windows Admin Shares", + "T1021.004": "Remote Services::SSH", + "T1563.001": "Remote Service Session Hijacking::SSH Hijacking", + "T1072": "Software Deployment Tools", + "T1080": "Taint Shared Content", + "T1550": "Use Alternate Authentication Material", + "T1021.005": "Remote Services::VNC", + "T1550.004": "Use Alternate Authentication Material::Web Session Cookie", + "T1021.006": "Remote Services::Windows Remote Management" + }, + "Collection": { + "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning", + "T1557": "Adversary-in-the-Middle", + "T1560": "Archive Collected Data", + "T1560.003": "Archive Collected Data::Archive via Custom Method", + "T1560.002": "Archive Collected Data::Archive via Library", + "T1560.001": "Archive Collected Data::Archive via Utility", + "T1123": "Audio Capture", + "T1119": "Automated Collection", + "T1185": "Browser Session Hijacking", + "T1115": "Clipboard Data", + "T1213.003": "Data from Information Repositories::Code Repositories", + "T1213.001": "Data from Information Repositories::Confluence", + "T1056.004": "Input Capture::Credential API Hooking", + "T1074": "Data Staged", + "T1530": "Data from Cloud Storage Object", + "T1602": "Data from Configuration Repository", + "T1213": "Data from Information Repositories", + "T1005": "Data from Local System", + "T1039": "Data from Network Shared Drive", + "T1025": "Data from Removable Media", + "T1114": "Email Collection", + "T1114.003": "Email Collection::Email Forwarding Rule", + "T1056.002": "Input Capture::GUI Input Capture", + "T1056": "Input Capture", + "T1056.001": "Input Capture::Keylogging", + "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay", + "T1074.001": "Data Staged::Local Data Staging", + "T1114.001": "Email Collection::Local Email Collection", + "T1602.002": "Data from Configuration Repository::Network Device Configuration Dump", + "T1074.002": "Data Staged::Remote Data Staging", + "T1114.002": "Email Collection::Remote Email Collection", + "T1602.001": "Data from Configuration Repository::SNMP (MIB Dump)", + "T1113": "Screen Capture", + "T1213.002": "Data from Information Repositories::Sharepoint", + "T1125": "Video Capture", + "T1056.003": "Input Capture::Web Portal Capture" + }, + "Command and Control": { + "T1071": "Application Layer Protocol", + "T1573.002": "Encrypted Channel::Asymmetric Cryptography", + "T1102.002": "Web Service::Bidirectional Communication", + "T1092": "Communication Through Removable Media", + "T1071.004": "Application Layer Protocol::DNS", + "T1568.003": "Dynamic Resolution::DNS Calculation", + "T1132": "Data Encoding", + "T1001": "Data Obfuscation", + "T1102.001": "Web Service::Dead Drop Resolver", + "T1090.004": "Proxy::Domain Fronting", + "T1568.002": "Dynamic Resolution::Domain Generation Algorithms", + "T1568": "Dynamic Resolution", + "T1573": "Encrypted Channel", + "T1090.002": "Proxy::External Proxy", + "T1008": "Fallback Channels", + "T1568.001": "Dynamic Resolution::Fast Flux DNS", + "T1071.002": "Application Layer Protocol::File Transfer Protocols", + "T1105": "Ingress Tool Transfer", + "T1090.001": "Proxy::Internal Proxy", + "T1001.001": "Data Obfuscation::Junk Data", + "T1071.003": "Application Layer Protocol::Mail Protocols", + "T1104": "Multi-Stage Channels", + "T1090.003": "Proxy::Multi-hop Proxy", + "T1095": "Non-Application Layer Protocol", + "T1132.002": "Data Encoding::Non-Standard Encoding", + "T1571": "Non-Standard Port", + "T1102.003": "Web Service::One-Way Communication", + "T1205.001": "Traffic Signaling::Port Knocking", + "T1001.003": "Data Obfuscation::Protocol Impersonation", + "T1572": "Protocol Tunneling", + "T1090": "Proxy", + "T1219": "Remote Access Software", + "T1132.001": "Data Encoding::Standard Encoding", + "T1001.002": "Data Obfuscation::Steganography", + "T1573.001": "Encrypted Channel::Symmetric Cryptography", + "T1205": "Traffic Signaling", + "T1071.001": "Application Layer Protocol::Web Protocols", + "T1102": "Web Service" + }, + "Exfiltration": { + "T1020": "Automated Exfiltration", + "T1030": "Data Transfer Size Limits", + "T1048": "Exfiltration Over Alternative Protocol", + "T1048.002": "Exfiltration Over Alternative Protocol::Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", + "T1011.001": "Exfiltration Over Other Network Medium::Exfiltration Over Bluetooth", + "T1041": "Exfiltration Over C2 Channel", + "T1011": "Exfiltration Over Other Network Medium", + "T1052": "Exfiltration Over Physical Medium", + "T1048.001": "Exfiltration Over Alternative Protocol::Exfiltration Over Symmetric Encrypted Non-C2 Protocol", + "T1048.003": "Exfiltration Over Alternative Protocol::Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", + "T1567": "Exfiltration Over Web Service", + "T1052.001": "Exfiltration Over Physical Medium::Exfiltration over USB", + "T1567.002": "Exfiltration Over Web Service::Exfiltration to Cloud Storage", + "T1567.001": "Exfiltration Over Web Service::Exfiltration to Code Repository", + "T1029": "Scheduled Transfer", + "T1020.001": "Automated Exfiltration::Traffic Duplication", + "T1537": "Transfer Data to Cloud Account" + }, + "Impact": { + "T1531": "Account Access Removal", + "T1499.003": "Endpoint Denial of Service::Application Exhaustion Flood", + "T1499.004": "Endpoint Denial of Service::Application or System Exploitation", + "T1485": "Data Destruction", + "T1486": "Data Encrypted for Impact", + "T1565": "Data Manipulation", + "T1491": "Defacement", + "T1498.001": "Network Denial of Service::Direct Network Flood", + "T1561.001": "Disk Wipe::Disk Content Wipe", + "T1561.002": "Disk Wipe::Disk Structure Wipe", + "T1561": "Disk Wipe", + "T1499": "Endpoint Denial of Service", + "T1491.002": "Defacement::External Defacement", + "T1495": "Firmware Corruption", + "T1490": "Inhibit System Recovery", + "T1491.001": "Defacement::Internal Defacement", + "T1498": "Network Denial of Service", + "T1499.001": "Endpoint Denial of Service::OS Exhaustion Flood", + "T1498.002": "Network Denial of Service::Reflection Amplification", + "T1496": "Resource Hijacking", + "T1565.003": "Data Manipulation::Runtime Data Manipulation", + "T1499.002": "Endpoint Denial of Service::Service Exhaustion Flood", + "T1489": "Service Stop", + "T1565.001": "Data Manipulation::Stored Data Manipulation", + "T1529": "System Shutdown/Reboot", + "T1565.002": "Data Manipulation::Transmitted Data Manipulation" + } }, - "Resource Development": { - "T1583": "Acquire Infrastructure", - "T1583.005": "Acquire Infrastructure::Botnet", - "T1584.005": "Compromise Infrastructure::Botnet", - "T1587.002": "Develop Capabilities::Code Signing Certificates", - "T1588.003": "Obtain Capabilities::Code Signing Certificates", - "T1586": "Compromise Accounts", - "T1584": "Compromise Infrastructure", - "T1583.002": "Acquire Infrastructure::DNS Server", - "T1584.002": "Compromise Infrastructure::DNS Server", - "T1587": "Develop Capabilities", - "T1587.003": "Develop Capabilities::Digital Certificates", - "T1588.004": "Obtain Capabilities::Digital Certificates", - "T1583.001": "Acquire Infrastructure::Domains", - "T1584.001": "Compromise Infrastructure::Domains", - "T1608.004": "Stage Capabilities::Drive-by Target", - "T1585.002": "Establish Accounts::Email Accounts", - "T1586.002": "Compromise Accounts::Email Accounts", - "T1585": "Establish Accounts", - "T1587.004": "Develop Capabilities::Exploits", - "T1588.005": "Obtain Capabilities::Exploits", - "T1608.003": "Stage Capabilities::Install Digital Certificate", - "T1608.005": "Stage Capabilities::Link Target", - "T1587.001": "Develop Capabilities::Malware", - "T1588.001": "Obtain Capabilities::Malware", - "T1588": "Obtain Capabilities", - "T1583.004": "Acquire Infrastructure::Server", - "T1584.004": "Compromise Infrastructure::Server", - "T1585.001": "Establish Accounts::Social Media Accounts", - "T1586.001": "Compromise Accounts::Social Media Accounts", - "T1608": "Stage Capabilities", - "T1588.002": "Obtain Capabilities::Tool", - "T1608.001": "Stage Capabilities::Upload Malware", - "T1608.002": "Stage Capabilities::Upload Tool", - "T1583.003": "Acquire Infrastructure::Virtual Private Server", - "T1584.003": "Compromise Infrastructure::Virtual Private Server", - "T1588.006": "Obtain Capabilities::Vulnerabilities", - "T1583.006": "Acquire Infrastructure::Web Services", - "T1584.006": "Compromise Infrastructure::Web Services" - }, - "Initial Access": { - "T1078.004": "Valid Accounts::Cloud Accounts", - "T1195.003": "Supply Chain Compromise::Compromise Hardware Supply Chain", - "T1195.001": "Supply Chain Compromise::Compromise Software Dependencies and Development Tools", - "T1195.002": "Supply Chain Compromise::Compromise Software Supply Chain", - "T1078.001": "Valid Accounts::Default Accounts", - "T1078.002": "Valid Accounts::Domain Accounts", - "T1189": "Drive-by Compromise", - "T1190": "Exploit Public-Facing Application", - "T1133": "External Remote Services", - "T1200": "Hardware Additions", - "T1078.003": "Valid Accounts::Local Accounts", - "T1566": "Phishing", - "T1091": "Replication Through Removable Media", - "T1566.001": "Phishing::Spearphishing Attachment", - "T1566.002": "Phishing::Spearphishing Link", - "T1566.003": "Phishing::Spearphishing via Service", - "T1195": "Supply Chain Compromise", - "T1199": "Trusted Relationship", - "T1078": "Valid Accounts" - }, - "Execution": { - "T1059.002": "Command and Scripting Interpreter::AppleScript", - "T1053.001": "Scheduled Task/Job::At (Linux)", - "T1053.002": "Scheduled Task/Job::At (Windows)", - "T1059": "Command and Scripting Interpreter", - "T1559.001": "Inter-Process Communication::Component Object Model", - "T1609": "Container Administration Command", - "T1053.007": "Scheduled Task/Job::Container Orchestration Job", - "T1053.003": "Scheduled Task/Job::Cron", - "T1610": "Deploy Container", - "T1559.002": "Inter-Process Communication::Dynamic Data Exchange", - "T1203": "Exploitation for Client Execution", - "T1559": "Inter-Process Communication", - "T1059.007": "Command and Scripting Interpreter::JavaScript", - "T1569.001": "System Services::Launchctl", - "T1204.002": "User Execution::Malicious File", - "T1204.003": "User Execution::Malicious Image", - "T1204.001": "User Execution::Malicious Link", - "T1106": "Native API", - "T1059.008": "Command and Scripting Interpreter::Network Device CLI", - "T1059.001": "Command and Scripting Interpreter::PowerShell", - "T1059.006": "Command and Scripting Interpreter::Python", - "T1053.005": "Scheduled Task/Job::Scheduled Task", - "T1053": "Scheduled Task/Job", - "T1569.002": "System Services::Service Execution", - "T1129": "Shared Modules", - "T1072": "Software Deployment Tools", - "T1569": "System Services", - "T1053.006": "Scheduled Task/Job::Systemd Timers", - "T1059.004": "Command and Scripting Interpreter::Unix Shell", - "T1204": "User Execution", - "T1059.005": "Command and Scripting Interpreter::Visual Basic", - "T1059.003": "Command and Scripting Interpreter::Windows Command Shell", - "T1047": "Windows Management Instrumentation" - }, - "Persistence": { - "T1546.008": "Event Triggered Execution::Accessibility Features", - "T1098": "Account Manipulation", - "T1547.014": "Boot or Logon Autostart Execution::Active Setup", - "T1098.003": "Account Manipulation::Add Office 365 Global Administrator Role", - "T1137.006": "Office Application Startup::Add-ins", - "T1098.001": "Account Manipulation::Additional Cloud Credentials", - "T1546.009": "Event Triggered Execution::AppCert DLLs", - "T1546.010": "Event Triggered Execution::AppInit DLLs", - "T1546.011": "Event Triggered Execution::Application Shimming", - "T1053.001": "Scheduled Task/Job::At (Linux)", - "T1053.002": "Scheduled Task/Job::At (Windows)", - "T1547.002": "Boot or Logon Autostart Execution::Authentication Package", - "T1197": "BITS Jobs", - "T1547": "Boot or Logon Autostart Execution", - "T1037": "Boot or Logon Initialization Scripts", - "T1542.003": "Pre-OS Boot::Bootkit", - "T1176": "Browser Extensions", - "T1574.012": "Hijack Execution Flow::COR_PROFILER", - "T1546.001": "Event Triggered Execution::Change Default File Association", - "T1136.003": "Create Account::Cloud Account", - "T1078.004": "Valid Accounts::Cloud Accounts", - "T1542.002": "Pre-OS Boot::Component Firmware", - "T1546.015": "Event Triggered Execution::Component Object Model Hijacking", - "T1554": "Compromise Client Software Binary", - "T1053.007": "Scheduled Task/Job::Container Orchestration Job", - "T1136": "Create Account", - "T1543": "Create or Modify System Process", - "T1053.003": "Scheduled Task/Job::Cron", - "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", - "T1574.002": "Hijack Execution Flow::DLL Side-Loading", - "T1078.001": "Valid Accounts::Default Accounts", - "T1136.002": "Create Account::Domain Account", - "T1078.002": "Valid Accounts::Domain Accounts", - "T1556.001": "Modify Authentication Process::Domain Controller Authentication", - "T1574.004": "Hijack Execution Flow::Dylib Hijacking", - "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", - "T1546.014": "Event Triggered Execution::Emond", - "T1546": "Event Triggered Execution", - "T1098.002": "Account Manipulation::Exchange Email Delegate Permissions", - "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", - "T1133": "External Remote Services", - "T1574": "Hijack Execution Flow", - "T1505.004": "Server Software Component::IIS Components", - "T1546.012": "Event Triggered Execution::Image File Execution Options Injection", - "T1525": "Implant Internal Image", - "T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions", - "T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition", - "T1547.008": "Boot or Logon Autostart Execution::LSASS Driver", - "T1543.001": "Create or Modify System Process::Launch Agent", - "T1543.004": "Create or Modify System Process::Launch Daemon", - "T1136.001": "Create Account::Local Account", - "T1078.003": "Valid Accounts::Local Accounts", - "T1547.015": "Boot or Logon Autostart Execution::Login Items", - "T1037.002": "Boot or Logon Initialization Scripts::Logon Script (Mac)", - "T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)", - "T1556": "Modify Authentication Process", - "T1546.007": "Event Triggered Execution::Netsh Helper DLL", - "T1556.004": "Modify Authentication Process::Network Device Authentication", - "T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script", - "T1137": "Office Application Startup", - "T1137.001": "Office Application Startup::Office Template Macros", - "T1137.002": "Office Application Startup::Office Test", - "T1137.003": "Office Application Startup::Outlook Forms", - "T1137.004": "Office Application Startup::Outlook Home Page", - "T1137.005": "Office Application Startup::Outlook Rules", - "T1556.002": "Modify Authentication Process::Password Filter DLL", - "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", - "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", - "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", - "T1547.011": "Boot or Logon Autostart Execution::Plist Modification", - "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", - "T1205.001": "Traffic Signaling::Port Knocking", - "T1547.010": "Boot or Logon Autostart Execution::Port Monitors", - "T1546.013": "Event Triggered Execution::PowerShell Profile", - "T1542": "Pre-OS Boot", - "T1547.012": "Boot or Logon Autostart Execution::Print Processors", - "T1037.004": "Boot or Logon Initialization Scripts::RC Scripts", - "T1542.004": "Pre-OS Boot::ROMMONkit", - "T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications", - "T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder", - "T1505.001": "Server Software Component::SQL Stored Procedures", - "T1098.004": "Account Manipulation::SSH Authorized Keys", - "T1053.005": "Scheduled Task/Job::Scheduled Task", - "T1053": "Scheduled Task/Job", - "T1546.002": "Event Triggered Execution::Screensaver", - "T1547.005": "Boot or Logon Autostart Execution::Security Support Provider", - "T1505": "Server Software Component", - "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", - "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", - "T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification", - "T1037.005": "Boot or Logon Initialization Scripts::Startup Items", - "T1542.001": "Pre-OS Boot::System Firmware", - "T1543.002": "Create or Modify System Process::Systemd Service", - "T1053.006": "Scheduled Task/Job::Systemd Timers", - "T1542.005": "Pre-OS Boot::TFTP Boot", - "T1547.003": "Boot or Logon Autostart Execution::Time Providers", - "T1205": "Traffic Signaling", - "T1505.002": "Server Software Component::Transport Agent", - "T1546.005": "Event Triggered Execution::Trap", - "T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification", - "T1078": "Valid Accounts", - "T1505.003": "Server Software Component::Web Shell", - "T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription", - "T1543.003": "Create or Modify System Process::Windows Service", - "T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL", - "T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries" - }, - "Privilege Escalation": { - "T1548": "Abuse Elevation Control Mechanism", - "T1134": "Access Token Manipulation", - "T1546.008": "Event Triggered Execution::Accessibility Features", - "T1547.014": "Boot or Logon Autostart Execution::Active Setup", - "T1546.009": "Event Triggered Execution::AppCert DLLs", - "T1546.010": "Event Triggered Execution::AppInit DLLs", - "T1546.011": "Event Triggered Execution::Application Shimming", - "T1055.004": "Process Injection::Asynchronous Procedure Call", - "T1053.001": "Scheduled Task/Job::At (Linux)", - "T1053.002": "Scheduled Task/Job::At (Windows)", - "T1547.002": "Boot or Logon Autostart Execution::Authentication Package", - "T1547": "Boot or Logon Autostart Execution", - "T1037": "Boot or Logon Initialization Scripts", - "T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control", - "T1574.012": "Hijack Execution Flow::COR_PROFILER", - "T1546.001": "Event Triggered Execution::Change Default File Association", - "T1078.004": "Valid Accounts::Cloud Accounts", - "T1546.015": "Event Triggered Execution::Component Object Model Hijacking", - "T1053.007": "Scheduled Task/Job::Container Orchestration Job", - "T1134.002": "Access Token Manipulation::Create Process with Token", - "T1543": "Create or Modify System Process", - "T1053.003": "Scheduled Task/Job::Cron", - "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", - "T1574.002": "Hijack Execution Flow::DLL Side-Loading", - "T1078.001": "Valid Accounts::Default Accounts", - "T1078.002": "Valid Accounts::Domain Accounts", - "T1484": "Domain Policy Modification", - "T1484.002": "Domain Policy Modification::Domain Trust Modification", - "T1574.004": "Hijack Execution Flow::Dylib Hijacking", - "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", - "T1055.001": "Process Injection::Dynamic-link Library Injection", - "T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt", - "T1546.014": "Event Triggered Execution::Emond", - "T1611": "Escape to Host", - "T1546": "Event Triggered Execution", - "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", - "T1068": "Exploitation for Privilege Escalation", - "T1055.011": "Process Injection::Extra Window Memory Injection", - "T1484.001": "Domain Policy Modification::Group Policy Modification", - "T1574": "Hijack Execution Flow", - "T1546.012": "Event Triggered Execution::Image File Execution Options Injection", - "T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions", - "T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition", - "T1547.008": "Boot or Logon Autostart Execution::LSASS Driver", - "T1543.001": "Create or Modify System Process::Launch Agent", - "T1543.004": "Create or Modify System Process::Launch Daemon", - "T1078.003": "Valid Accounts::Local Accounts", - "T1547.015": "Boot or Logon Autostart Execution::Login Items", - "T1037.002": "Boot or Logon Initialization Scripts::Logon Script (Mac)", - "T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)", - "T1134.003": "Access Token Manipulation::Make and Impersonate Token", - "T1546.007": "Event Triggered Execution::Netsh Helper DLL", - "T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script", - "T1134.004": "Access Token Manipulation::Parent PID Spoofing", - "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", - "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", - "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", - "T1547.011": "Boot or Logon Autostart Execution::Plist Modification", - "T1547.010": "Boot or Logon Autostart Execution::Port Monitors", - "T1055.002": "Process Injection::Portable Executable Injection", - "T1546.013": "Event Triggered Execution::PowerShell Profile", - "T1547.012": "Boot or Logon Autostart Execution::Print Processors", - "T1055.009": "Process Injection::Proc Memory", - "T1055.013": "Process Injection::Process Doppelg\u00e4nging", - "T1055.012": "Process Injection::Process Hollowing", - "T1055": "Process Injection", - "T1055.008": "Process Injection::Ptrace System Calls", - "T1037.004": "Boot or Logon Initialization Scripts::RC Scripts", - "T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications", - "T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder", - "T1134.005": "Access Token Manipulation::SID-History Injection", - "T1053.005": "Scheduled Task/Job::Scheduled Task", - "T1053": "Scheduled Task/Job", - "T1546.002": "Event Triggered Execution::Screensaver", - "T1547.005": "Boot or Logon Autostart Execution::Security Support Provider", - "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", - "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", - "T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid", - "T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification", - "T1037.005": "Boot or Logon Initialization Scripts::Startup Items", - "T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching", - "T1543.002": "Create or Modify System Process::Systemd Service", - "T1053.006": "Scheduled Task/Job::Systemd Timers", - "T1055.003": "Process Injection::Thread Execution Hijacking", - "T1055.005": "Process Injection::Thread Local Storage", - "T1547.003": "Boot or Logon Autostart Execution::Time Providers", - "T1134.001": "Access Token Manipulation::Token Impersonation/Theft", - "T1546.005": "Event Triggered Execution::Trap", - "T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification", - "T1055.014": "Process Injection::VDSO Hijacking", - "T1078": "Valid Accounts", - "T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription", - "T1543.003": "Create or Modify System Process::Windows Service", - "T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL", - "T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries" - }, - "Defense Evasion": { - "T1548": "Abuse Elevation Control Mechanism", - "T1134": "Access Token Manipulation", - "T1550.001": "Use Alternate Authentication Material::Application Access Token", - "T1055.004": "Process Injection::Asynchronous Procedure Call", - "T1197": "BITS Jobs", - "T1027.001": "Obfuscated Files or Information::Binary Padding", - "T1542.003": "Pre-OS Boot::Bootkit", - "T1612": "Build Image on Host", - "T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control", - "T1218.003": "Signed Binary Proxy Execution::CMSTP", - "T1574.012": "Hijack Execution Flow::COR_PROFILER", - "T1070.003": "Indicator Removal on Host::Clear Command History", - "T1070.002": "Indicator Removal on Host::Clear Linux or Mac System Logs", - "T1070.001": "Indicator Removal on Host::Clear Windows Event Logs", - "T1078.004": "Valid Accounts::Cloud Accounts", - "T1553.002": "Subvert Trust Controls::Code Signing", - "T1553.006": "Subvert Trust Controls::Code Signing Policy Modification", - "T1027.004": "Obfuscated Files or Information::Compile After Delivery", - "T1218.001": "Signed Binary Proxy Execution::Compiled HTML File", - "T1542.002": "Pre-OS Boot::Component Firmware", - "T1218.002": "Signed Binary Proxy Execution::Control Panel", - "T1578.002": "Modify Cloud Compute Infrastructure::Create Cloud Instance", - "T1134.002": "Access Token Manipulation::Create Process with Token", - "T1578.001": "Modify Cloud Compute Infrastructure::Create Snapshot", - "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking", - "T1574.002": "Hijack Execution Flow::DLL Side-Loading", - "T1078.001": "Valid Accounts::Default Accounts", - "T1578.003": "Modify Cloud Compute Infrastructure::Delete Cloud Instance", - "T1140": "Deobfuscate/Decode Files or Information", - "T1610": "Deploy Container", - "T1006": "Direct Volume Access", - "T1562.008": "Impair Defenses::Disable Cloud Logs", - "T1600.002": "Weaken Encryption::Disable Crypto Hardware", - "T1562.002": "Impair Defenses::Disable Windows Event Logging", - "T1562.007": "Impair Defenses::Disable or Modify Cloud Firewall", - "T1562.004": "Impair Defenses::Disable or Modify System Firewall", - "T1562.001": "Impair Defenses::Disable or Modify Tools", - "T1078.002": "Valid Accounts::Domain Accounts", - "T1556.001": "Modify Authentication Process::Domain Controller Authentication", - "T1484": "Domain Policy Modification", - "T1484.002": "Domain Policy Modification::Domain Trust Modification", - "T1036.007": "Masquerading::Double File Extension", - "T1562.010": "Impair Defenses::Downgrade Attack", - "T1601.002": "Modify System Image::Downgrade System Image", - "T1574.004": "Hijack Execution Flow::Dylib Hijacking", - "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking", - "T1055.001": "Process Injection::Dynamic-link Library Injection", - "T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt", - "T1564.008": "Hide Artifacts::Email Hiding Rules", - "T1480.001": "Execution Guardrails::Environmental Keying", - "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness", - "T1480": "Execution Guardrails", - "T1211": "Exploitation for Defense Evasion", - "T1055.011": "Process Injection::Extra Window Memory Injection", - "T1070.004": "Indicator Removal on Host::File Deletion", - "T1222": "File and Directory Permissions Modification", - "T1553.001": "Subvert Trust Controls::Gatekeeper Bypass", - "T1484.001": "Domain Policy Modification::Group Policy Modification", - "T1027.006": "Obfuscated Files or Information::HTML Smuggling", - "T1564.005": "Hide Artifacts::Hidden File System", - "T1564.001": "Hide Artifacts::Hidden Files and Directories", - "T1564.002": "Hide Artifacts::Hidden Users", - "T1564.003": "Hide Artifacts::Hidden Window", - "T1564": "Hide Artifacts", - "T1574": "Hijack Execution Flow", - "T1562.003": "Impair Defenses::Impair Command History Logging", - "T1562": "Impair Defenses", - "T1562.006": "Impair Defenses::Indicator Blocking", - "T1027.005": "Obfuscated Files or Information::Indicator Removal from Tools", - "T1070": "Indicator Removal on Host", - "T1202": "Indirect Command Execution", - "T1553.004": "Subvert Trust Controls::Install Root Certificate", - "T1218.004": "Signed Binary Proxy Execution::InstallUtil", - "T1036.001": "Masquerading::Invalid Code Signature", - "T1222.002": "File and Directory Permissions Modification::Linux and Mac File and Directory Permissions Modification", - "T1078.003": "Valid Accounts::Local Accounts", - "T1218.014": "Signed Binary Proxy Execution::MMC", - "T1127.001": "Trusted Developer Utilities Proxy Execution::MSBuild", - "T1134.003": "Access Token Manipulation::Make and Impersonate Token", - "T1553.005": "Subvert Trust Controls::Mark-of-the-Web Bypass", - "T1036.004": "Masquerading::Masquerade Task or Service", - "T1036": "Masquerading", - "T1036.005": "Masquerading::Match Legitimate Name or Location", - "T1218.013": "Signed Binary Proxy Execution::Mavinject", - "T1556": "Modify Authentication Process", - "T1578": "Modify Cloud Compute Infrastructure", - "T1112": "Modify Registry", - "T1601": "Modify System Image", - "T1218.005": "Signed Binary Proxy Execution::Mshta", - "T1218.007": "Signed Binary Proxy Execution::Msiexec", - "T1564.004": "Hide Artifacts::NTFS File Attributes", - "T1599.001": "Network Boundary Bridging::Network Address Translation Traversal", - "T1599": "Network Boundary Bridging", - "T1556.004": "Modify Authentication Process::Network Device Authentication", - "T1070.005": "Indicator Removal on Host::Network Share Connection Removal", - "T1027": "Obfuscated Files or Information", - "T1218.008": "Signed Binary Proxy Execution::Odbcconf", - "T1134.004": "Access Token Manipulation::Parent PID Spoofing", - "T1550.002": "Use Alternate Authentication Material::Pass the Hash", - "T1550.003": "Use Alternate Authentication Material::Pass the Ticket", - "T1556.002": "Modify Authentication Process::Password Filter DLL", - "T1601.001": "Modify System Image::Patch System Image", - "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable", - "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking", - "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path", - "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", - "T1205.001": "Traffic Signaling::Port Knocking", - "T1055.002": "Process Injection::Portable Executable Injection", - "T1542": "Pre-OS Boot", - "T1055.009": "Process Injection::Proc Memory", - "T1055.013": "Process Injection::Process Doppelg\u00e4nging", - "T1055.012": "Process Injection::Process Hollowing", - "T1055": "Process Injection", - "T1055.008": "Process Injection::Ptrace System Calls", - "T1216.001": "Signed Script Proxy Execution::PubPrn", - "T1542.004": "Pre-OS Boot::ROMMONkit", - "T1600.001": "Weaken Encryption::Reduce Key Space", - "T1620": "Reflective Code Loading", - "T1218.009": "Signed Binary Proxy Execution::Regsvcs/Regasm", - "T1218.010": "Signed Binary Proxy Execution::Regsvr32", - "T1036.003": "Masquerading::Rename System Utilities", - "T1564.009": "Hide Artifacts::Resource Forking", - "T1578.004": "Modify Cloud Compute Infrastructure::Revert Cloud Instance", - "T1036.002": "Masquerading::Right-to-Left Override", - "T1207": "Rogue Domain Controller", - "T1014": "Rootkit", - "T1564.006": "Hide Artifacts::Run Virtual Instance", - "T1218.011": "Signed Binary Proxy Execution::Rundll32", - "T1134.005": "Access Token Manipulation::SID-History Injection", - "T1553.003": "Subvert Trust Controls::SIP and Trust Provider Hijacking", - "T1562.009": "Impair Defenses::Safe Mode Boot", - "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness", - "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness", - "T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid", - "T1218": "Signed Binary Proxy Execution", - "T1216": "Signed Script Proxy Execution", - "T1027.002": "Obfuscated Files or Information::Software Packing", - "T1036.006": "Masquerading::Space after Filename", - "T1027.003": "Obfuscated Files or Information::Steganography", - "T1553": "Subvert Trust Controls", - "T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching", - "T1497.001": "Virtualization/Sandbox Evasion::System Checks", - "T1542.001": "Pre-OS Boot::System Firmware", - "T1542.005": "Pre-OS Boot::TFTP Boot", - "T1221": "Template Injection", - "T1055.003": "Process Injection::Thread Execution Hijacking", - "T1055.005": "Process Injection::Thread Local Storage", - "T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion", - "T1070.006": "Indicator Removal on Host::Timestomp", - "T1134.001": "Access Token Manipulation::Token Impersonation/Theft", - "T1205": "Traffic Signaling", - "T1127": "Trusted Developer Utilities Proxy Execution", - "T1535": "Unused/Unsupported Cloud Regions", - "T1550": "Use Alternate Authentication Material", - "T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks", - "T1564.007": "Hide Artifacts::VBA Stomping", - "T1055.014": "Process Injection::VDSO Hijacking", - "T1078": "Valid Accounts", - "T1218.012": "Signed Binary Proxy Execution::Verclsid", - "T1497": "Virtualization/Sandbox Evasion", - "T1600": "Weaken Encryption", - "T1550.004": "Use Alternate Authentication Material::Web Session Cookie", - "T1222.001": "File and Directory Permissions Modification::Windows File and Directory Permissions Modification", - "T1220": "XSL Script Processing" - }, - "Credential Access": { - "T1003.008": "OS Credential Dumping::/etc/passwd and /etc/shadow", - "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning", - "T1558.004": "Steal or Forge Kerberos Tickets::AS-REP Roasting", - "T1557": "Adversary-in-the-Middle", - "T1552.003": "Unsecured Credentials::Bash History", - "T1110": "Brute Force", - "T1003.005": "OS Credential Dumping::Cached Domain Credentials", - "T1552.005": "Unsecured Credentials::Cloud Instance Metadata API", - "T1552.007": "Unsecured Credentials::Container API", - "T1056.004": "Input Capture::Credential API Hooking", - "T1110.004": "Brute Force::Credential Stuffing", - "T1552.001": "Unsecured Credentials::Credentials In Files", - "T1555": "Credentials from Password Stores", - "T1555.003": "Credentials from Password Stores::Credentials from Web Browsers", - "T1552.002": "Unsecured Credentials::Credentials in Registry", - "T1003.006": "OS Credential Dumping::DCSync", - "T1556.001": "Modify Authentication Process::Domain Controller Authentication", - "T1212": "Exploitation for Credential Access", - "T1187": "Forced Authentication", - "T1606": "Forge Web Credentials", - "T1056.002": "Input Capture::GUI Input Capture", - "T1558.001": "Steal or Forge Kerberos Tickets::Golden Ticket", - "T1552.006": "Unsecured Credentials::Group Policy Preferences", - "T1056": "Input Capture", - "T1558.003": "Steal or Forge Kerberos Tickets::Kerberoasting", - "T1555.001": "Credentials from Password Stores::Keychain", - "T1056.001": "Input Capture::Keylogging", - "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay", - "T1003.004": "OS Credential Dumping::LSA Secrets", - "T1003.001": "OS Credential Dumping::LSASS Memory", - "T1556": "Modify Authentication Process", - "T1003.003": "OS Credential Dumping::NTDS", - "T1556.004": "Modify Authentication Process::Network Device Authentication", - "T1040": "Network Sniffing", - "T1003": "OS Credential Dumping", - "T1110.002": "Brute Force::Password Cracking", - "T1556.002": "Modify Authentication Process::Password Filter DLL", - "T1110.001": "Brute Force::Password Guessing", - "T1555.005": "Credentials from Password Stores::Password Managers", - "T1110.003": "Brute Force::Password Spraying", - "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules", - "T1552.004": "Unsecured Credentials::Private Keys", - "T1003.007": "OS Credential Dumping::Proc Filesystem", - "T1606.002": "Forge Web Credentials::SAML Tokens", - "T1003.002": "OS Credential Dumping::Security Account Manager", - "T1555.002": "Credentials from Password Stores::Securityd Memory", - "T1558.002": "Steal or Forge Kerberos Tickets::Silver Ticket", - "T1528": "Steal Application Access Token", - "T1539": "Steal Web Session Cookie", - "T1558": "Steal or Forge Kerberos Tickets", - "T1111": "Two-Factor Authentication Interception", - "T1552": "Unsecured Credentials", - "T1606.001": "Forge Web Credentials::Web Cookies", - "T1056.003": "Input Capture::Web Portal Capture", - "T1555.004": "Credentials from Password Stores::Windows Credential Manager" - }, - "Discovery": { - "T1087": "Account Discovery", - "T1010": "Application Window Discovery", - "T1217": "Browser Bookmark Discovery", - "T1087.004": "Account Discovery::Cloud Account", - "T1069.003": "Permission Groups Discovery::Cloud Groups", - "T1580": "Cloud Infrastructure Discovery", - "T1538": "Cloud Service Dashboard", - "T1526": "Cloud Service Discovery", - "T1619": "Cloud Storage Object Discovery", - "T1613": "Container and Resource Discovery", - "T1087.002": "Account Discovery::Domain Account", - "T1069.002": "Permission Groups Discovery::Domain Groups", - "T1482": "Domain Trust Discovery", - "T1087.003": "Account Discovery::Email Account", - "T1083": "File and Directory Discovery", - "T1615": "Group Policy Discovery", - "T1016.001": "System Network Configuration Discovery::Internet Connection Discovery", - "T1087.001": "Account Discovery::Local Account", - "T1069.001": "Permission Groups Discovery::Local Groups", - "T1046": "Network Service Scanning", - "T1135": "Network Share Discovery", - "T1040": "Network Sniffing", - "T1201": "Password Policy Discovery", - "T1120": "Peripheral Device Discovery", - "T1069": "Permission Groups Discovery", - "T1057": "Process Discovery", - "T1012": "Query Registry", - "T1018": "Remote System Discovery", - "T1518.001": "Software Discovery::Security Software Discovery", - "T1518": "Software Discovery", - "T1497.001": "Virtualization/Sandbox Evasion::System Checks", - "T1082": "System Information Discovery", - "T1614.001": "System Location Discovery::System Language Discovery", - "T1614": "System Location Discovery", - "T1016": "System Network Configuration Discovery", - "T1049": "System Network Connections Discovery", - "T1033": "System Owner/User Discovery", - "T1007": "System Service Discovery", - "T1124": "System Time Discovery", - "T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion", - "T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks", - "T1497": "Virtualization/Sandbox Evasion" - }, - "Lateral Movement": { - "T1550.001": "Use Alternate Authentication Material::Application Access Token", - "T1021.003": "Remote Services::Distributed Component Object Model", - "T1210": "Exploitation of Remote Services", - "T1534": "Internal Spearphishing", - "T1570": "Lateral Tool Transfer", - "T1550.002": "Use Alternate Authentication Material::Pass the Hash", - "T1550.003": "Use Alternate Authentication Material::Pass the Ticket", - "T1563.002": "Remote Service Session Hijacking::RDP Hijacking", - "T1021.001": "Remote Services::Remote Desktop Protocol", - "T1563": "Remote Service Session Hijacking", - "T1021": "Remote Services", - "T1091": "Replication Through Removable Media", - "T1021.002": "Remote Services::SMB/Windows Admin Shares", - "T1021.004": "Remote Services::SSH", - "T1563.001": "Remote Service Session Hijacking::SSH Hijacking", - "T1072": "Software Deployment Tools", - "T1080": "Taint Shared Content", - "T1550": "Use Alternate Authentication Material", - "T1021.005": "Remote Services::VNC", - "T1550.004": "Use Alternate Authentication Material::Web Session Cookie", - "T1021.006": "Remote Services::Windows Remote Management" - }, - "Collection": { - "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning", - "T1557": "Adversary-in-the-Middle", - "T1560": "Archive Collected Data", - "T1560.003": "Archive Collected Data::Archive via Custom Method", - "T1560.002": "Archive Collected Data::Archive via Library", - "T1560.001": "Archive Collected Data::Archive via Utility", - "T1123": "Audio Capture", - "T1119": "Automated Collection", - "T1185": "Browser Session Hijacking", - "T1115": "Clipboard Data", - "T1213.003": "Data from Information Repositories::Code Repositories", - "T1213.001": "Data from Information Repositories::Confluence", - "T1056.004": "Input Capture::Credential API Hooking", - "T1074": "Data Staged", - "T1530": "Data from Cloud Storage Object", - "T1602": "Data from Configuration Repository", - "T1213": "Data from Information Repositories", - "T1005": "Data from Local System", - "T1039": "Data from Network Shared Drive", - "T1025": "Data from Removable Media", - "T1114": "Email Collection", - "T1114.003": "Email Collection::Email Forwarding Rule", - "T1056.002": "Input Capture::GUI Input Capture", - "T1056": "Input Capture", - "T1056.001": "Input Capture::Keylogging", - "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay", - "T1074.001": "Data Staged::Local Data Staging", - "T1114.001": "Email Collection::Local Email Collection", - "T1602.002": "Data from Configuration Repository::Network Device Configuration Dump", - "T1074.002": "Data Staged::Remote Data Staging", - "T1114.002": "Email Collection::Remote Email Collection", - "T1602.001": "Data from Configuration Repository::SNMP (MIB Dump)", - "T1113": "Screen Capture", - "T1213.002": "Data from Information Repositories::Sharepoint", - "T1125": "Video Capture", - "T1056.003": "Input Capture::Web Portal Capture" - }, - "Command and Control": { - "T1071": "Application Layer Protocol", - "T1573.002": "Encrypted Channel::Asymmetric Cryptography", - "T1102.002": "Web Service::Bidirectional Communication", - "T1092": "Communication Through Removable Media", - "T1071.004": "Application Layer Protocol::DNS", - "T1568.003": "Dynamic Resolution::DNS Calculation", - "T1132": "Data Encoding", - "T1001": "Data Obfuscation", - "T1102.001": "Web Service::Dead Drop Resolver", - "T1090.004": "Proxy::Domain Fronting", - "T1568.002": "Dynamic Resolution::Domain Generation Algorithms", - "T1568": "Dynamic Resolution", - "T1573": "Encrypted Channel", - "T1090.002": "Proxy::External Proxy", - "T1008": "Fallback Channels", - "T1568.001": "Dynamic Resolution::Fast Flux DNS", - "T1071.002": "Application Layer Protocol::File Transfer Protocols", - "T1105": "Ingress Tool Transfer", - "T1090.001": "Proxy::Internal Proxy", - "T1001.001": "Data Obfuscation::Junk Data", - "T1071.003": "Application Layer Protocol::Mail Protocols", - "T1104": "Multi-Stage Channels", - "T1090.003": "Proxy::Multi-hop Proxy", - "T1095": "Non-Application Layer Protocol", - "T1132.002": "Data Encoding::Non-Standard Encoding", - "T1571": "Non-Standard Port", - "T1102.003": "Web Service::One-Way Communication", - "T1205.001": "Traffic Signaling::Port Knocking", - "T1001.003": "Data Obfuscation::Protocol Impersonation", - "T1572": "Protocol Tunneling", - "T1090": "Proxy", - "T1219": "Remote Access Software", - "T1132.001": "Data Encoding::Standard Encoding", - "T1001.002": "Data Obfuscation::Steganography", - "T1573.001": "Encrypted Channel::Symmetric Cryptography", - "T1205": "Traffic Signaling", - "T1071.001": "Application Layer Protocol::Web Protocols", - "T1102": "Web Service" - }, - "Exfiltration": { - "T1020": "Automated Exfiltration", - "T1030": "Data Transfer Size Limits", - "T1048": "Exfiltration Over Alternative Protocol", - "T1048.002": "Exfiltration Over Alternative Protocol::Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", - "T1011.001": "Exfiltration Over Other Network Medium::Exfiltration Over Bluetooth", - "T1041": "Exfiltration Over C2 Channel", - "T1011": "Exfiltration Over Other Network Medium", - "T1052": "Exfiltration Over Physical Medium", - "T1048.001": "Exfiltration Over Alternative Protocol::Exfiltration Over Symmetric Encrypted Non-C2 Protocol", - "T1048.003": "Exfiltration Over Alternative Protocol::Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", - "T1567": "Exfiltration Over Web Service", - "T1052.001": "Exfiltration Over Physical Medium::Exfiltration over USB", - "T1567.002": "Exfiltration Over Web Service::Exfiltration to Cloud Storage", - "T1567.001": "Exfiltration Over Web Service::Exfiltration to Code Repository", - "T1029": "Scheduled Transfer", - "T1020.001": "Automated Exfiltration::Traffic Duplication", - "T1537": "Transfer Data to Cloud Account" - }, - "Impact": { - "T1531": "Account Access Removal", - "T1499.003": "Endpoint Denial of Service::Application Exhaustion Flood", - "T1499.004": "Endpoint Denial of Service::Application or System Exploitation", - "T1485": "Data Destruction", - "T1486": "Data Encrypted for Impact", - "T1565": "Data Manipulation", - "T1491": "Defacement", - "T1498.001": "Network Denial of Service::Direct Network Flood", - "T1561.001": "Disk Wipe::Disk Content Wipe", - "T1561.002": "Disk Wipe::Disk Structure Wipe", - "T1561": "Disk Wipe", - "T1499": "Endpoint Denial of Service", - "T1491.002": "Defacement::External Defacement", - "T1495": "Firmware Corruption", - "T1490": "Inhibit System Recovery", - "T1491.001": "Defacement::Internal Defacement", - "T1498": "Network Denial of Service", - "T1499.001": "Endpoint Denial of Service::OS Exhaustion Flood", - "T1498.002": "Network Denial of Service::Reflection Amplification", - "T1496": "Resource Hijacking", - "T1565.003": "Data Manipulation::Runtime Data Manipulation", - "T1499.002": "Endpoint Denial of Service::Service Exhaustion Flood", - "T1489": "Service Stop", - "T1565.001": "Data Manipulation::Stored Data Manipulation", - "T1529": "System Shutdown/Reboot", - "T1565.002": "Data Manipulation::Transmitted Data Manipulation" + "mbc": { + "Anti-Behavioral Analysis": { + "B0007.009": "Sandbox Detection::Timing/Uptime Check", + "B0001.001": "Debugger Detection::API Hook Detection", + "B0007.005": "Sandbox Detection::Product Key/ID Testing", + "B0002.005": "Debugger Evasion::Code Integrity Check", + "B0001.035": "Debugger Detection::Process Environment Block BeingDebugged", + "B0007.004": "Sandbox Detection::Injected DLL Testing", + "B0005.003": "Emulator Evasion::Unusual/Undocumented API Calls", + "B0001.024": "Debugger Detection::SetHandleInformation", + "B0009.016": "Virtual Machine Detection::Modern Specs Check - USB drive", + "B0009.028": "Virtual Machine Detection::Unique Hardware/Firmware Check - MAC Address", + "F0003.003": "Hooking::Hook procedures", + "B0009.014": "Virtual Machine Detection::Modern Specs Check - Total physical memory", + "B0002.010": "Debugger Evasion::Import Obfuscation", + "F0001.010": "Software Packing::VMProtect", + "E1480.m07": "Execution Guardrails::Runs as Service", + "B0001.003": "Debugger Detection::CloseHandle", + "B0009.025": "Virtual Machine Detection::Unique Hardware/Firmware Check - I/O Communication Port", + "B0004": "Emulator Detection", + "B0009.006": "Virtual Machine Detection::Check Running Services", + "B0002.013": "Debugger Evasion::Malloc Use", + "B0009.015": "Virtual Machine Detection::Modern Specs Check - Drive size", + "B0001.017": "Debugger Detection::Page Exception Breakpoint Detection", + "B0009.004": "Virtual Machine Detection::Check Processes", + "B0001.012": "Debugger Detection::NtQueryInformationProcess", + "B0002.029": "Debugger Evasion::Thread Timeout", + "B0036.001": "Capture Evasion::Memory-only Payload", + "B0036": "Capture Evasion", + "B0005.004": "Emulator Evasion::Extra Loops/Time Locks", + "B0009.009": "Virtual Machine Detection::Check Windows", + "B0007": "Sandbox Detection", + "B0009.037": "Virtual Machine Detection::Instruction Testing - VMCPUID", + "B0006.009": "Memory Dump Evasion::Flow Opcode Obstruction", + "B0002.001": "Debugger Evasion::Block Interrupts", + "B0006.002": "Memory Dump Evasion::Erase the PE header", + "B0009.034": "Virtual Machine Detection::Instruction Testing - CPUID", + "B0003": "Dynamic Analysis Evasion", + "E1480.m06": "Execution Guardrails::Token Check", + "B0007.001": "Sandbox Detection::Check Clipboard Data", + "B0001.037": "Debugger Detection::Process Environment Block IsDebugged", + "B0006.001": "Memory Dump Evasion::Code Encryption in Memory", + "E1480.m05": "Execution Guardrails::Secure Triggers", + "F0001.011": "Software Packing::Themida", + "B0001.019": "Debugger Detection::Process Environment Block", + "B0002.025": "Debugger Evasion::Self-Unmapping", + "B0002.018": "Debugger Evasion::Pipeline Misdirection", + "B0002.030": "Debugger Evasion::Use Interrupts", + "B0002.023": "Debugger Evasion::Section Misalignment", + "F0001.002": "Software Packing::Standard Compression", + "B0005.001": "Emulator Evasion::Different Opcode Sets", + "B0009.003": "Virtual Machine Detection::Check Named System Objects", + "B0009.002": "Virtual Machine Detection::Check Memory Artifacts", + "B0003.003": "Dynamic Analysis Evasion::Delayed Execution", + "B0003.010": "Dynamic Analysis Evasion::Restart", + "B0002.002": "Debugger Evasion::Break Point Clearing", + "B0008": "Executable Code Virtualization", + "B0001.027": "Debugger Detection::TIB Aware", + "F0001.007": "Software Packing::Custom Compression of Data", + "B0001.004": "Debugger Detection::Debugger Artifacts", + "B0009.031": "Virtual Machine Detection::Instruction Testing - SGDT/SLDT (no pill)", + "B0036.002": "Capture Evasion::Encrypted Payloads", + "E1480.m03": "Execution Guardrails::GetVolumeInformation", + "B0001.028": "Debugger Detection::Timing/Delay Check", + "F0001.004": "Software Packing::Standard Compression of Data", + "B0001.005": "Debugger Detection::Hardware Breakpoints", + "F0001.003": "Software Packing::Standard Compression of Code", + "B0002.007": "Debugger Evasion::Get Base Indirectly", + "B0009": "Virtual Machine Detection", + "B0005": "Emulator Evasion", + "B0003.002": "Dynamic Analysis Evasion::Data Flood", + "B0001.023": "Debugger Detection::SeDebugPrivilege", + "B0002.016": "Debugger Evasion::Obfuscate Library Use", + "B0007.006": "Sandbox Detection::Screen Resolution Testing", + "F0003.005": "Hooking::Inline Hooking", + "B0009.036": "Virtual Machine Detection::Instruction Testing - RDTSC", + "B0006.004": "Memory Dump Evasion::SizeOfImage", + "B0003.005": "Dynamic Analysis Evasion::Drop Code", + "B0006.008": "Memory Dump Evasion::Feed Misinformation", + "B0009.010": "Virtual Machine Detection::Guest Process Testing", + "B0002.020": "Debugger Evasion::Relocate API Code", + "B0006": "Memory Dump Evasion", + "B0001.016": "Debugger Detection::OutputDebugString", + "B0002.011": "Debugger Evasion::Inlining", + "B0009.012": "Virtual Machine Detection::Human User Check", + "B0002.012": "Debugger Evasion::Loop Escapes", + "F0001.013": "Software Packing::ASPack", + "B0009.013": "Virtual Machine Detection::Modern Specs Check", + "F0001.008": "Software Packing::UPX", + "B0001.029": "Debugger Detection::TLS Callbacks", + "F0001.012": "Software Packing::Armadillo", + "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", + "B0001.014": "Debugger Detection::NtSetInformationThread", + "B0001.025": "Debugger Detection::Software Breakpoints", + "B0003.009": "Dynamic Analysis Evasion::Illusion", + "B0008.001": "Executable Code Virtualization::Multiple VMs", + "B0001.011": "Debugger Detection::Monitoring Thread", + "B0002.022": "Debugger Evasion::RtlAdjustPrivilege", + "B0001.013": "Debugger Detection::NtQueryObject", + "B0009.018": "Virtual Machine Detection::Modern Specs Check - Processor count", + "E1480": "Execution Guardrails", + "B0001": "Debugger Detection", + "B0002.015": "Debugger Evasion::Nanomites", + "B0002.024": "Debugger Evasion::Self-Debugging", + "B0004.002": "Emulator Detection::Check for WINE Version", + "B0001.015": "Debugger Detection::NtYieldExecution/SwitchToThread", + "B0009.005": "Virtual Machine Detection::Check Registry Keys", + "B0001.006": "Debugger Detection::Interrupt 0x2d", + "B0009.011": "Virtual Machine Detection::HTML5 Performance Object Check", + "B0001.018": "Debugger Detection::Parent Process", + "B0009.008": "Virtual Machine Detection::Check Virtual Devices", + "B0009.022": "Virtual Machine Detection::Check Windows - Title bars", + "B0009.023": "Virtual Machine Detection::Unique Hardware/Firmware Check", + "B0004.001": "Emulator Detection::Check for Emulator-related Files", + "B0001.036": "Debugger Detection::Process Environment Block NtGlobalFlag", + "B0009.026": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Name", + "B0007.002": "Sandbox Detection::Check Files", + "F0001.006": "Software Packing::Custom Compression of Code", + "B0003.007": "Dynamic Analysis Evasion::Hook File System", + "B0009.032": "Virtual Machine Detection::Instruction Testing - SMSW", + "F0003.002": "Hooking::Hook memory mapping APIs", + "B0009.007": "Virtual Machine Detection::Check Software", + "B0001.026": "Debugger Detection::Stack Canary", + "B0009.020": "Virtual Machine Detection::Check Windows - Window size", + "E1480.m04": "Execution Guardrails::Host Fingerprint Check", + "B0006.005": "Memory Dump Evasion::Tampering", + "B0001.034": "Debugger Detection::Anti-debugging Instructions", + "B0007.008": "Sandbox Detection::Timing/Date Check", + "B0001.030": "Debugger Detection::UnhandledExceptionFilter", + "B0002.026": "Debugger Evasion::Static Linking", + "B0001.002": "Debugger Detection::CheckRemoteDebuggerPresent", + "B0002.004": "Debugger Evasion::Change SizeOfImage", + "B0009.017": "Virtual Machine Detection::Modern Specs Check - Printer", + "B0002.006": "Debugger Evasion::Exception Misdirection", + "B0009.021": "Virtual Machine Detection::Check Windows - Unique windows", + "B0003.008": "Dynamic Analysis Evasion::Hook Interrupt", + "F0001.001": "Software Packing::Nested Packing", + "B0001.007": "Debugger Detection::Interrupt 1", + "B0001.032": "Debugger Detection::Timing/Delay Check GetTickCount", + "B0001.031": "Debugger Detection::WudfIsAnyDebuggerPresent", + "B0009.038": "Virtual Machine Detection::Instruction Testing - VPCEXT", + "B0002": "Debugger Evasion", + "B0009.024": "Virtual Machine Detection::Unique Hardware/Firmware Check - BIOS", + "B0003.006": "Dynamic Analysis Evasion::Encode File", + "B0006.007": "Memory Dump Evasion::On-the-Fly APIs", + "B0009.019": "Virtual Machine Detection::Modern Specs Check - Keyboard layout", + "B0009.033": "Virtual Machine Detection::Instruction Testing - STR", + "E1480.m01": "Execution Guardrails::Deposited Keys", + "F0003": "Hooking", + "E1480.m02": "Execution Guardrails::Environmental Keys", + "B0009.001": "Virtual Machine Detection::Check File and Directory Artifacts", + "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", + "B0002.014": "Debugger Evasion::Modify PE Header", + "B0003.001": "Dynamic Analysis Evasion::Alternative ntdll.dll", + "B0002.003": "Debugger Evasion::Byte Stealing", + "B0009.035": "Virtual Machine Detection::Instruction Testing - IN", + "B0009.030": "Virtual Machine Detection::Instruction Testing - SIDT (red pill)", + "B0001.021": "Debugger Detection::ProcessHeap", + "B0007.007": "Sandbox Detection::Self Check", + "B0002.027": "Debugger Evasion::Stolen API Code", + "B0004.003": "Emulator Detection::Check Emulator-related Registry Keys", + "B0009.029": "Virtual Machine Detection::Instruction Testing", + "B0002.017": "Debugger Evasion::Parallel Threads", + "B0005.002": "Emulator Evasion::Undocumented Opcodes", + "F0001.005": "Software Packing::Custom Compression", + "B0002.021": "Debugger Evasion::Return Obfuscation", + "B0009.027": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Location", + "B0006.003": "Memory Dump Evasion::Hide virtual memory", + "B0001.009": "Debugger Detection::Memory Breakpoints", + "B0001.010": "Debugger Detection::Memory Write Watching", + "B0036.003": "Capture Evasion::Multiple Stages of Loaders", + "B0003.004": "Dynamic Analysis Evasion::Demo Mode", + "B0004.004": "Emulator Detection::Failed Network Connections", + "B0001.008": "Debugger Detection::IsDebuggerPresent", + "B0001.033": "Debugger Detection::Timing/Delay Check QueryPerformanceCounter", + "F0001.009": "Software Packing::Confuser", + "B0002.019": "Debugger Evasion::Pre-Debug", + "F0001": "Software Packing", + "B0001.020": "Debugger Detection::Process Jobs" + }, + "Anti-Static Analysis": { + "B0032.004": "Executable Code Obfuscation::Fake Code Insertion", + "B0032.009": "Executable Code Obfuscation::Entry Point Obfuscation", + "B0032.014": "Executable Code Obfuscation::Interleaving Code", + "F0001.010": "Software Packing::VMProtect", + "B0032.001": "Executable Code Obfuscation::API Hashing", + "B0032.017": "Executable Code Obfuscation::Stack Strings", + "B0032.006": "Executable Code Obfuscation::Thunk Code Insertion", + "B0032.002": "Executable Code Obfuscation::Code Insertion", + "B0034.002": "Executable Code Optimization::Minification", + "F0001.011": "Software Packing::Themida", + "B0032.010": "Executable Code Obfuscation::Guard Pages", + "B0032.013": "Executable Code Obfuscation::Instruction Overlap", + "B0032.015": "Executable Code Obfuscation::Merged Code Sections", + "F0001.002": "Software Packing::Standard Compression", + "B0032.003": "Executable Code Obfuscation::Dead Code Insertion", + "B0008": "Executable Code Virtualization", + "F0001.007": "Software Packing::Custom Compression of Data", + "B0012": "Disassembler Evasion", + "B0010.002": "Call Graph Generation Evasion::Invoke NTDLL System Calls via Encoded Table", + "B0012.002": "Disassembler Evasion::Conditional Misdirection", + "F0001.004": "Software Packing::Standard Compression of Data", + "F0001.003": "Software Packing::Standard Compression of Code", + "B0032.007": "Executable Code Obfuscation::Junk Code Insertion", + "B0032.008": "Executable Code Obfuscation::Data Value Obfuscation", + "B0012.003": "Disassembler Evasion::Value Dependent Jumps", + "B0012.005": "Disassembler Evasion::VBA Stomping", + "B0012.001": "Disassembler Evasion::Argument Obfuscation", + "E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm", + "F0001.013": "Software Packing::ASPack", + "F0001.008": "Software Packing::UPX", + "F0001.012": "Software Packing::Armadillo", + "B0008.001": "Executable Code Virtualization::Multiple VMs", + "B0032": "Executable Code Obfuscation", + "E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm", + "B0032.012": "Executable Code Obfuscation::Import Compression", + "F0001.006": "Software Packing::Custom Compression of Code", + "E1027": "Obfuscated Files or Information", + "B0032.016": "Executable Code Obfuscation::Structured Exception Handling (SEH)", + "B0032.005": "Executable Code Obfuscation::Jump Insertion", + "E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm", + "B0010.001": "Call Graph Generation Evasion::Two-layer Function Return", + "F0001.001": "Software Packing::Nested Packing", + "B0034": "Executable Code Optimization", + "B0010": "Call Graph Generation Evasion", + "B0032.011": "Executable Code Obfuscation::Import Address Table Obfuscation", + "B0034.001": "Executable Code Optimization::Jump/Call Absolute Address", + "B0012.004": "Disassembler Evasion::Variable Recomposition", + "E1027.m06": "Obfuscated Files or Information::Encryption of Code", + "F0001.005": "Software Packing::Custom Compression", + "B0032.018": "Executable Code Obfuscation::Symbol Obfuscation", + "E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm", + "E1027.m07": "Obfuscated Files or Information::Encryption of Data", + "F0001.009": "Software Packing::Confuser", + "F0001": "Software Packing" + }, + "Collection": { + "F0003.003": "Hooking::Hook procedures", + "E1056": "Input Capture", + "F0002.001": "Keylogging::Application Hook", + "E1056.m01": "Input Capture::Mouse Events", + "B0028.002": "Cryptocurrency::Ethereum", + "F0003.005": "Hooking::Inline Hooking", + "F0002": "Keylogging", + "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", + "B0028": "Cryptocurrency", + "F0002.002": "Keylogging::Polling", + "F0003.002": "Hooking::Hook memory mapping APIs", + "F0003": "Hooking", + "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", + "E1113.m01": "Screen Capture::WinAPI", + "E1113": "Screen Capture", + "B0028.001": "Cryptocurrency::Bitcoin", + "B0028.003": "Cryptocurrency::Zcash" + }, + "Command and Control": { + "B0030.001": "C2 Communication::Send Data", + "B0030.010": "C2 Communication::Request Email Address List", + "B0030": "C2 Communication", + "B0030.005": "C2 Communication::Check for Payload", + "B0030.008": "C2 Communication::Request Command", + "B0031": "Domain Name Generation", + "B0030.002": "C2 Communication::Receive Data", + "B0030.007": "C2 Communication::Send Heartbeat", + "E1105": "Remote File Copy", + "B0030.009": "C2 Communication::Request Email Template", + "B0030.004": "C2 Communication::Client to Server File Transfer", + "B0030.003": "C2 Communication::Server to Client File Transfer", + "B0030.006": "C2 Communication::Send System Information" + }, + "Credential Access": { + "F0003.003": "Hooking::Hook procedures", + "E1056": "Input Capture", + "F0002.001": "Keylogging::Application Hook", + "E1056.m01": "Input Capture::Mouse Events", + "B0028.002": "Cryptocurrency::Ethereum", + "F0003.005": "Hooking::Inline Hooking", + "F0002": "Keylogging", + "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", + "B0028": "Cryptocurrency", + "F0002.002": "Keylogging::Polling", + "F0003.002": "Hooking::Hook memory mapping APIs", + "F0003": "Hooking", + "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", + "E1113.m01": "Screen Capture::WinAPI", + "E1113": "Screen Capture", + "B0028.001": "Cryptocurrency::Bitcoin", + "B0028.003": "Cryptocurrency::Zcash" + }, + "Defense Evasion": { + "F0009.001": "Component Firmware::Router Firmware", + "E1014.m05": "Rootkit::Hide Userspace Libraries", + "F0003.003": "Hooking::Hook procedures", + "F0004.007": "Disable or Evade Security Tools::Bypass Windows File Protection", + "F0001.010": "Software Packing::VMProtect", + "E1480.m07": "Execution Guardrails::Runs as Service", + "F0005.002": "Hidden Files and Directories::Location", + "E1014.m04": "Rootkit::Hide Threads", + "E1014.m06": "Rootkit::Prevent API Unhooking", + "F0004.008": "Disable or Evade Security Tools::Heavens Gate", + "B0040.001": "Covert Location::Hide Data in Registry", + "F0005": "Hidden Files and Directories", + "E1055": "Process Injection", + "E1480.m06": "Execution Guardrails::Token Check", + "B0029.001": "Polymorphic Code::Packer Stub", + "E1480.m05": "Execution Guardrails::Secure Triggers", + "F0001.011": "Software Packing::Themida", + "F0007.001": "Self Deletion::COMSPEC Environment Variable", + "F0001.002": "Software Packing::Standard Compression", + "E1014.m11": "Rootkit::Prevent Memory Access", + "F0013": "Bootkit", + "F0004.004": "Disable or Evade Security Tools::AMSI Bypass", + "F0001.007": "Software Packing::Custom Compression of Data", + "B0029.002": "Polymorphic Code::Call Indirections", + "E1480.m03": "Execution Guardrails::GetVolumeInformation", + "F0001.004": "Software Packing::Standard Compression of Data", + "F0001.003": "Software Packing::Standard Compression of Code", + "E1478": "Install Insecure or Malicious Configuration", + "E1014.m09": "Rootkit::Prevent File Access", + "B0040.002": "Covert Location::Steganography", + "F0009": "Component Firmware", + "B0027.002": "Alternative Installation Location::Registry Install", + "F0003.005": "Hooking::Inline Hooking", + "E1014.m07": "Rootkit::Prevent Registry Access", + "B0037": "Bypass Data Execution Prevention", + "B0029.003": "Polymorphic Code::Code Reordering", + "E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm", + "F0007": "Self Deletion", + "B0027": "Alternative Installation Location", + "F0001.013": "Software Packing::ASPack", + "F0001.008": "Software Packing::UPX", + "F0001.012": "Software Packing::Armadillo", + "E1014.m08": "Rootkit::Prevent Registry Deletion", + "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", + "E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm", + "E1480": "Execution Guardrails", + "F0004.002": "Disable or Evade Security Tools::Disable System File Overwrite Protection", + "F0005.004": "Hidden Files and Directories::Timestamp", + "E1014.m10": "Rootkit::Prevent File Deletion", + "F0005.001": "Hidden Files and Directories::Extension", + "F0001.006": "Software Packing::Custom Compression of Code", + "E1014.m02": "Rootkit::Hide Services", + "F0003.002": "Hooking::Hook memory mapping APIs", + "E1055.m02": "Process Injection::Injection and Persistence via Registry Modification", + "E1480.m04": "Execution Guardrails::Host Fingerprint Check", + "F0004.001": "Disable or Evade Security Tools::Disable Kernel Patch Protection", + "B0027.001": "Alternative Installation Location::Fileless Malware", + "F0004.006": "Disable or Evade Security Tools::Force Lazy Writing", + "E1055.m03": "Process Injection::Injection using Shims", + "E1027": "Obfuscated Files or Information", + "E1014.m12": "Rootkit::Prevent Native API Hooking", + "B0037.001": "Bypass Data Execution Prevention::ROP Chains", + "E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm", + "F0001.001": "Software Packing::Nested Packing", + "E1014": "Rootkit", + "F0004.005": "Disable or Evade Security Tools::Modify Policy", + "E1014.m01": "Rootkit::Hide Kernel Modules", + "E1480.m01": "Execution Guardrails::Deposited Keys", + "E1112": "Modify Registry", + "F0003": "Hooking", + "E1480.m02": "Execution Guardrails::Environmental Keys", + "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", + "F0004.003": "Disable or Evade Security Tools::Unhook APIs", + "F0005.003": "Hidden Files and Directories::Attribute", + "E1027.m06": "Obfuscated Files or Information::Encryption of Code", + "F0006": "Indicator Blocking", + "F0001.005": "Software Packing::Custom Compression", + "E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx", + "B0040": "Covert Location", + "E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm", + "F0006.001": "Indicator Blocking::Remove SMS Warning Messages", + "B0029": "Polymorphic Code", + "F0004": "Disable or Evade Security Tools", + "E1027.m07": "Obfuscated Files or Information::Encryption of Data", + "F0001.009": "Software Packing::Confuser", + "F0001": "Software Packing" + }, + "Discovery": { + "E1010": "Application Window Discovery", + "B0043": "Taskbar Discovery", + "B0013.007": "Analysis Tool Discovery::Process detection - Sandboxes", + "B0013.001": "Analysis Tool Discovery::Process detection", + "B0013.009": "Analysis Tool Discovery::Known Window", + "B0013.003": "Analysis Tool Discovery::Process detection - SysInternals Suite Tools", + "B0013.006": "Analysis Tool Discovery::Process detection - PE Utilities", + "B0013.005": "Analysis Tool Discovery::Process detection - Process Utilities", + "B0013": "Analysis Tool Discovery", + "E1083.m01": "File and Directory Discovery::Log File", + "B0013.002": "Analysis Tool Discovery::Process detection - Debuggers", + "B0013.004": "Analysis Tool Discovery::Process detection - PCAP Utilities", + "B0014": "SMTP Connection Discovery", + "E1010.m01": "Application Window Discovery::Window Text", + "E1082": "System Information Discovery", + "E1083": "File and Directory Discovery", + "B0013.008": "Analysis Tool Discovery::Known File Location", + "B0038": "Self Discovery", + "E1082.m01": "System Information Discovery::Generate Windows Exception" + }, + "Execution": { + "E1203.m05": "Exploitation for Client Execution::Sysinternals", + "E1203.m06": "Exploitation for Client Execution::Windows Utilities", + "B0020": "Send Email", + "B0011.007": "Remote Commands::Upload File", + "E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols (RDP)", + "B0011.005": "Remote Commands::Sleep", + "B0021": "Send Poisoned Text Message", + "E1203.m02": "Exploitation for Client Execution::Java-based Web Servers", + "B0024": "Prevent Concurrent Execution", + "B0011.006": "Remote Commands::Uninstall", + "B0011.003": "Remote Commands::Execute", + "E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers", + "B0011.004": "Remote Commands::Shutdown", + "B0011": "Remote Commands", + "E1203": "Exploitation for Client Execution", + "E1204": "User Interaction", + "E1059": "Command and Scripting Interpreter", + "B0025": "Conditional Execution", + "B0011.002": "Remote Commands::Download File", + "B0023": "Install Additional Program", + "E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products", + "B0025.001": "Conditional Execution::Suicide Exit" + }, + "Exfiltration": { + "E1560": "Archive Collected Data", + "E1560.m04": "Archive Collected Data::Encoding - Custom Encoding", + "E1020": "Automated Exfiltration", + "E1560.m06": "Archive Collected Data::Encryption - Custom Encryption", + "E1560.m05": "Archive Collected Data::Encryption - Standard Encryption", + "E1020.m01": "Automated Exfiltration::Exfiltrate via File Hosting Service", + "E1560.m03": "Archive Collected Data::Encoding - Standard Encoding", + "E1560.m02": "Archive Collected Data::Encryption", + "E1560.m01": "Archive Collected Data::Encoding" + }, + "Impact": { + "F0009.001": "Component Firmware::Router Firmware", + "B0017": "Destroy Hardware", + "E1203.m05": "Exploitation for Client Execution::Sysinternals", + "E1203.m06": "Exploitation for Client Execution::Windows Utilities", + "E1190": "Exploit Kit Behavior", + "F0014": "Disk Content Wipe", + "E1485": "Data Destruction", + "E1486": "Data Encrypted for Impact", + "F0014.001": "Disk Content Wipe::Delete Shadow Drive", + "E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols (RDP)", + "B0019": "Manipulate Network Traffic", + "E1203.m02": "Exploitation for Client Execution::Java-based Web Servers", + "E1485.m03": "Data Destruction::Delete Application/Software", + "F0009": "Component Firmware", + "E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers", + "E1472.m02": "Generate Fraudulent Advertising Revenue::Advertisement Replacement Fraud", + "E1203": "Exploitation for Client Execution", + "B0039": "Spamming", + "B0042": "Modify Hardware", + "B0018.002": "Resource Hijacking::Cryptojacking", + "B0042.003": "Modify Hardware::Printer", + "B0022.001": "Remote Access::Reverse Shell", + "B0018.001": "Resource Hijacking::Password Cracking", + "E1485.m02": "Data Destruction::Empty Recycle Bin", + "B0033": "Denial of Service", + "B0016": "Compromise Data Integrity", + "E1472.m01": "Generate Fraudulent Advertising Revenue::Click Hijacking", + "B0022": "Remote Access", + "B0042.001": "Modify Hardware::CDROM", + "B0042.002": "Modify Hardware::Mouse", + "E1510": "Clipboard Modification", + "E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products", + "B0018": "Resource Hijacking", + "E1472": "Generate Fraudulent Advertising Revenue" + }, + "Lateral Movement": { + "E1195.m02": "Supply Chain Compromise::Exploit Private APIs", + "B0020": "Send Email", + "E1195": "Supply Chain Compromise", + "B0026": "Malicious Network Driver", + "B0021": "Send Poisoned Text Message", + "E1105": "Remote File Copy", + "E1195.m01": "Supply Chain Compromise::Abuse Enterprise Certificates" + }, + "Persistence": { + "F0009.001": "Component Firmware::Router Firmware", + "F0003.003": "Hooking::Hook procedures", + "F0005.002": "Hidden Files and Directories::Location", + "F0005": "Hidden Files and Directories", + "F0012": "Registry Run Keys / Startup Folder", + "B0026": "Malicious Network Driver", + "F0013": "Bootkit", + "F0011": "Modify Existing Service", + "E1478": "Install Insecure or Malicious Configuration", + "F0009": "Component Firmware", + "F0003.005": "Hooking::Inline Hooking", + "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", + "E1105": "Remote File Copy", + "B0022.001": "Remote Access::Reverse Shell", + "F0005.004": "Hidden Files and Directories::Timestamp", + "F0005.001": "Hidden Files and Directories::Extension", + "B0035": "Shutdown Event", + "F0003.002": "Hooking::Hook memory mapping APIs", + "F0010.001": "Kernel Modules and Extensions::Device Driver", + "B0022": "Remote Access", + "E1112": "Modify Registry", + "F0010": "Kernel Modules and Extensions", + "F0003": "Hooking", + "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", + "F0005.003": "Hidden Files and Directories::Attribute" + }, + "Privilege Escalation": { + "F0003.003": "Hooking::Hook procedures", + "E1055": "Process Injection", + "F0011": "Modify Existing Service", + "F0003.005": "Hooking::Inline Hooking", + "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", + "F0003.002": "Hooking::Hook memory mapping APIs", + "E1055.m02": "Process Injection::Injection and Persistence via Registry Modification", + "E1055.m03": "Process Injection::Injection using Shims", + "F0010.001": "Kernel Modules and Extensions::Device Driver", + "F0010": "Kernel Modules and Extensions", + "F0003": "Hooking", + "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", + "E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx" + }, + "Communication": { + "C0005.002": "WinINet::InternetOpen", + "C0012.002": "SMTP Communication::Request", + "C0011.005": "DNS Communication::Resolve Free Hosting Domain", + "C0003.004": "Interprocess Communication::Write Pipe", + "C0002.012": "HTTP Communication::Create Request", + "C0002.013": "HTTP Communication::Set Header", + "C0002.001": "HTTP Communication::Server", + "C0002.002": "HTTP Communication::Client", + "C0014.001": "ICMP Communication::Generate Traffic", + "C0001.017": "Socket Communication::Receive UDP Data", + "C0002.015": "HTTP Communication::Receive Request", + "C0011": "DNS Communication", + "C0002.008": "HTTP Communication::WinHTTP", + "C0002.018": "HTTP Communication::Start Server", + "C0002.011": "HTTP Communication::Extract Body", + "C0012.001": "SMTP Communication::Server Connect", + "C0001.008": "Socket Communication::TCP Client", + "C0002.004": "HTTP Communication::Open URL", + "C0002.006": "HTTP Communication::Download URL", + "C0012": "SMTP Communication", + "C0011.002": "DNS Communication::Server Connect", + "C0001.014": "Socket Communication::Send TCP Data", + "C0002.009": "HTTP Communication::Connect to Server", + "C0005.004": "WinINet::InternetReadFile", + "C0002.003": "HTTP Communication::Send Request", + "C0002.005": "HTTP Communication::Send Data", + "C0004": "FTP Communication", + "C0001.012": "Socket Communication::Get Socket Status", + "C0002.017": "HTTP Communication::Get Response", + "C0001.011": "Socket Communication::Create TCP Socket", + "C0001": "Socket Communication", + "C0005": "WinINet", + "C0002.014": "HTTP Communication::Read Header", + "C0001.003": "Socket Communication::Create Socket", + "C0014.002": "ICMP Communication::Echo Request", + "C0002.016": "HTTP Communication::Send Response", + "C0001.005": "Socket Communication::Start TCP Server", + "C0005.001": "WinINet::InternetConnect", + "C0001.007": "Socket Communication::Send Data", + "C0001.009": "Socket Communication::Initialize Winsock Library", + "C0001.013": "Socket Communication::UDP Client", + "C0001.010": "Socket Communication::Create UDP Socket", + "C0001.015": "Socket Communication::Send UDP Data", + "C0002.007": "HTTP Communication::WinINet", + "C0005.003": "WinINet::InternetOpenURL", + "C0004.001": "FTP Communication::Send File", + "C0003.002": "Interprocess Communication::Connect Pipe", + "C0001.002": "Socket Communication::TCP Server", + "C0001.016": "Socket Communication::Receive TCP Data", + "C0001.006": "Socket Communication::Receive Data", + "C0001.004": "Socket Communication::Connect Socket", + "C0003.003": "Interprocess Communication::Read Pipe", + "C0002": "HTTP Communication", + "C0014": "ICMP Communication", + "C0011.001": "DNS Communication::Resolve", + "C0003": "Interprocess Communication", + "C0002.010": "HTTP Communication::IWebBrowser", + "C0011.004": "DNS Communication::Resolve TLD", + "C0001.001": "Socket Communication::Set Socket Config", + "C0005.005": "WinINet::InternetWriteFile", + "C0011.003": "DNS Communication::DDNS Domain Connect", + "C0003.001": "Interprocess Communication::Create Pipe", + "C0004.002": "FTP Communication::WinINet" + }, + "Data": { + "C0030.005": "Non-Cryptographic Hash::FNV", + "C0026.001": "Encode Data::Base64", + "C0053.002": "Decode Data::XOR", + "C0020": "Use Constant", + "C0030.003": "Non-Cryptographic Hash::Fast-Hash", + "C0024.002": "Compress Data::IEncodingFilterFactory", + "C0025.002": "Decompress Data::IEncodingFilterFactory", + "C0032.004": "Checksum::Verhoeff", + "C0032.005": "Checksum::Adler", + "C0025.001": "Decompress Data::QuickLZ", + "C0060": "Compression Library", + "C0032": "Checksum", + "C0024.001": "Compress Data::QuickLZ", + "C0026.002": "Encode Data::XOR", + "C0030": "Non-Cryptographic Hash", + "C0032.001": "Checksum::CRC32", + "C0053": "Decode Data", + "C0053.001": "Decode Data::Base64", + "C0019": "Check String", + "C0030.004": "Non-Cryptographic Hash::dhash", + "C0026": "Encode Data", + "C0032.003": "Checksum::BSD", + "C0030.002": "Non-Cryptographic Hash::pHash", + "C0030.001": "Non-Cryptographic Hash::MurmurHash", + "C0032.002": "Checksum::Luhn", + "C0058": "Modulo", + "C0024": "Compress Data", + "C0025": "Decompress Data" + }, + "Hardware": { + "C0057": "Simulate Hardware", + "C0057.001": "Simulate Hardware::Ctrl-Alt-Del", + "C0023": "Load Driver", + "C0037": "Install Driver", + "C0057.002": "Simulate Hardware::Mouse Click" + }, + "File System": { + "C0016.001": "Create File::Create Office Document", + "C0052": "Writes File", + "C0049": "Get File Attributes", + "C0046": "Create Directory", + "C0015": "Alter File Extension", + "C0050": "Set File Attributes", + "C0016": "Create File", + "C0056": "Read Virtual Disk", + "C0051": "Read File", + "C0015.001": "Alter File Extension::Append Extension", + "C0045": "Copy File", + "C0016.002": "Create File::Create Ransomware File", + "C0047": "Delete File", + "C0048": "Delete Directory" + }, + "Cryptography": { + "C0027.002": "Encrypt Data::Blowfish", + "C0027.014": "Encrypt Data::Block Cipher", + "C0031.006": "Decrypt Data::HC-128", + "C0031": "Decrypt Data", + "C0029": "Cryptographic Hash", + "C0027.010": "Encrypt Data::RC6", + "C0027.001": "Encrypt Data::AES", + "C0021": "Generate Pseudo-random Sequence", + "C0027": "Encrypt Data", + "C0031.008": "Decrypt Data::RC4", + "C0021.001": "Generate Pseudo-random Sequence::GetTickCount", + "C0031.001": "Decrypt Data::AES", + "C0028.001": "Encryption Key::Import Public Key", + "C0027.003": "Encrypt Data::Camellia", + "C0029.002": "Cryptographic Hash::SHA1", + "C0028.002": "Encryption Key::RC4 KSA", + "C0027.006": "Encrypt Data::HC-128", + "C0031.002": "Decrypt Data::Block Cipher", + "C0027.008": "Encrypt Data::Sosemanuk", + "C0028": "Encryption Key", + "C0029.004": "Cryptographic Hash::SHA224", + "C0031.013": "Decrypt Data::Stream Cipher", + "C0031.011": "Decrypt Data::Skipjack", + "C0021.004": "Generate Pseudo-random Sequence::RC4 PRGA", + "C0029.001": "Cryptographic Hash::MD5", + "C0029.003": "Cryptographic Hash::SHA256", + "C0031.014": "Decrypt Data::Twofish", + "C0029.006": "Cryptographic Hash::Snefru", + "C0031.003": "Decrypt Data::Blowfish", + "C0027.011": "Encrypt Data::RSA", + "C0031.005": "Decrypt Data::3DES", + "C0031.004": "Decrypt Data::Camellia", + "C0027.012": "Encrypt Data::Stream Cipher", + "C0027.007": "Encrypt Data::HC-256", + "C0027.004": "Encrypt Data::3DES", + "C0021.005": "Generate Pseudo-random Sequence::Mersenne Twister", + "C0059": "Crypto Library", + "C0029.005": "Cryptographic Hash::Tiger", + "C0031.010": "Decrypt Data::RSA", + "C0031.012": "Decrypt Data::Sosemanuk", + "C0021.003": "Generate Pseudo-random Sequence::Use API", + "C0027.013": "Encrypt Data::Skipjack", + "C0031.007": "Decrypt Data::HC-256", + "C0027.005": "Encrypt Data::Twofish", + "C0021.002": "Generate Pseudo-random Sequence::rand", + "C0027.009": "Encrypt Data::RC4", + "C0031.009": "Decrypt Data::RC6" + }, + "Process": { + "C0018": "Terminate Process", + "C0055": "Suspend Thread", + "C0017": "Create Process", + "C0017.002": "Create Process::Create Process via WMI", + "C0017.001": "Create Process::Create Process via Shellcode", + "C0038": "Create Thread", + "C0039": "Terminate Thread", + "C0043": "Check Mutex", + "C0041": "Set Thread Local Storage Value", + "C0022.001": "Synchronization::Create Mutex", + "C0017.003": "Create Process::Create Suspended Process", + "C0042": "Create Mutex", + "C0022": "Synchronization", + "C0054": "Resume Thread", + "C0040": "Allocate Thread Local Storage" + }, + "Memory": { + "C0010": "Overflow Buffer", + "C0008": "Change Memory Protection", + "C0006": "Heap Spray", + "C0007": "Allocate Memory", + "C0008.002": "Change Memory Protection::Executable Heap", + "C0008.001": "Change Memory Protection::Executable Stack", + "C0009": "Stack Pivot", + "C0044": "Free Memory" + }, + "Operating System": { + "C0036.006": "Registry::Query Registry Value", + "C0035": "Wallpaper", + "C0034.001": "Environment Variable::Set Variable", + "C0036.002": "Registry::Delete Registry Key", + "C0036.001": "Registry::Set Registry Key", + "C0036.007": "Registry::Delete Registry Value", + "C0036.003": "Registry::Open Registry Key", + "C0036.005": "Registry::Query Registry Key", + "C0033": "Console", + "C0034": "Environment Variable", + "C0036": "Registry", + "C0036.004": "Registry::Create Registry Key" + } } } \ No newline at end of file diff --git a/scripts/setup-linter-dependencies.py b/scripts/setup-linter-dependencies.py index ff2e4dc0..46d5bb57 100644 --- a/scripts/setup-linter-dependencies.py +++ b/scripts/setup-linter-dependencies.py @@ -5,10 +5,14 @@ import requests from stix2 import Filter, MemoryStore, AttackPattern -class StixExtractor: +class MitreExtractor: url = "" + kill_chain_name = "" def __init__(self): + if self.kill_chain_name == "": + raise ValueError(f"Kill chain name not specified in class {self.__class__.__name__}") + if self.url == "": raise ValueError(f"URL not specified in class {self.__class__.__name__}") @@ -25,10 +29,6 @@ class StixExtractor: ) ) - -class AttckStixExtractor(StixExtractor): - url = "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json" - def _get_tactics(self) -> list[dict]: # Only one matrix for enterprise att&ck framework matrix = self._remove_deprecated_objetcs( @@ -47,7 +47,7 @@ class AttckStixExtractor(StixExtractor): Filter("type", "=", "attack-pattern"), Filter("kill_chain_phases.phase_name", "=", tactic), Filter( # kill chain name for enterprise att&ck - "kill_chain_phases.kill_chain_name", "=", "mitre-attack" + "kill_chain_phases.kill_chain_name", "=", self.kill_chain_name ), ] ) @@ -72,23 +72,37 @@ class AttckStixExtractor(StixExtractor): data[tactic["name"]] = {} for technique in self._get_techniques_from_tactic(tactic["x_mitre_shortname"]): tid = technique["external_references"][0]["external_id"] + technique_name = technique["name"].split("::")[0] if technique["x_mitre_is_subtechnique"]: parent_technique = self._get_parent_technique_from_subtechnique(technique) - data[tactic["name"]][tid] = f"{parent_technique['name']}::{technique['name']}" + data[tactic["name"]][tid] = f"{parent_technique['name']}::{technique_name}" else: - data[tactic["name"]][tid] = technique["name"] + data[tactic["name"]][tid] = technique_name return data -class MbcStixExtractor(StixExtractor): - ... +class AttckExtractor(MitreExtractor): + url = "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json" + kill_chain_name = "mitre-attack" + + +class MbcExtractor(MitreExtractor): + url = "https://raw.githubusercontent.com/MBCProject/mbc-stix2/master/mbc/mbc.json" + kill_chain_name = "mitre-mbc" + + def _get_tactics(self) -> list[dict]: + tactics = super(MbcExtractor, self)._get_tactics() + # We don't want the Micro-objective string inside objective names + for tactic in tactics: + tactic["name"] = tactic["name"].replace(" Micro-objective", "") + return tactics def main(): - s = AttckStixExtractor() - r = s.run() + data = {"att&ck": AttckExtractor().run(), "mbc": MbcExtractor().run()} + with open(f"{dirname(__file__)}/linter-data.json", "w") as jf: - json.dump(r, jf, indent=2) + json.dump(data, jf, indent=2) if __name__ == "__main__": From 2bcd725e04e84eea3d82b8819b6ad701ebb23de4 Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Sat, 22 Jan 2022 14:51:32 +0100 Subject: [PATCH 06/11] linter: add the possibility to enable or disable mbc and att&ck linting --- scripts/lint.py | 18 ++++++++++--- scripts/setup-linter-dependencies.py | 39 ++++++++++++++++++++++++---- 2 files changed, 48 insertions(+), 9 deletions(-) diff --git a/scripts/lint.py b/scripts/lint.py index fb5ab266..efb5a023 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -235,10 +235,20 @@ class InvalidAttckOrMbcTechnique(Lint): def __init__(self): super(InvalidAttckOrMbcTechnique, self).__init__() - # This regex match the format defined in the recommandation attribute + try: + with open("scripts/linter-data.json", "r") as fd: + self.data = json.load(fd) + self.enabled_frameworks = self.data.keys() + except BaseException: + # If linter-data.json is not present, or if an error happen + # we log an error and lint nothing. + logger.warning( + "Could not load 'scripts/linter-data.json'. The att&ck and mbc information will not be linted." + ) + self.enabled_frameworks = [] + + # This regex match the format defined in the recommendation attribute self.reg = re.compile("^([a-zA-Z| ]+)::(.*) \[([A-Za-z0-9.]+)\]$") - with open("scripts/linter-data.json", "r") as fd: - self.data = json.load(fd) def _entry_check(self, framework, category, entry, eid): if category not in self.data[framework].keys(): @@ -255,7 +265,7 @@ class InvalidAttckOrMbcTechnique(Lint): return False def check_rule(self, ctx: Context, rule: Rule): - for framework in ["mbc"]: + for framework in self.enabled_frameworks: if framework in rule.meta.keys(): for r in rule.meta[framework]: m = self.reg.match(r) diff --git a/scripts/setup-linter-dependencies.py b/scripts/setup-linter-dependencies.py index 46d5bb57..eb299a8b 100644 --- a/scripts/setup-linter-dependencies.py +++ b/scripts/setup-linter-dependencies.py @@ -1,10 +1,16 @@ +import argparse import json +import logging from os.path import dirname +from sys import argv import requests from stix2 import Filter, MemoryStore, AttackPattern +logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s") + + class MitreExtractor: url = "" kill_chain_name = "" @@ -16,6 +22,7 @@ class MitreExtractor: if self.url == "": raise ValueError(f"URL not specified in class {self.__class__.__name__}") + logging.info(f"Downloading STIX data at: {self.url}") stix_json = requests.get(self.url).json() self._memory_store = MemoryStore(stix_data=stix_json["objects"]) @@ -67,6 +74,7 @@ class MitreExtractor: return parent_technique def run(self) -> dict[str, dict[str, str]]: + logging.info("Starting extraction...") data: dict[str, dict[str, str]] = {} for tactic in self._get_tactics(): data[tactic["name"]] = {} @@ -98,12 +106,33 @@ class MbcExtractor(MitreExtractor): return tactics -def main(): - data = {"att&ck": AttckExtractor().run(), "mbc": MbcExtractor().run()} +def main(args: argparse.Namespace) -> None: + data = {} + if args.extractor == "att&ck" or args.extractor == "both": + logging.info("Extracting Mitre Att&ck techniques...") + data["att&ck"] = AttckExtractor().run() + if args.extractor == "mbc" or args.extractor == "both": + logging.info("Extracting MBC behaviors...") + data["mbc"] = MbcExtractor().run() - with open(f"{dirname(__file__)}/linter-data.json", "w") as jf: - json.dump(data, jf, indent=2) + logging.info(f"Writing results to {args.output}") + try: + with open(args.output, "w") as jf: + json.dump(data, jf, indent=2) + except BaseException as e: + logging.error(f"Exception encountered when writing results: {e}") if __name__ == "__main__": - main() + parser = argparse.ArgumentParser(description="Setup linter dependencies.") + parser.add_argument( + "--extractor", type=str, choices=["both", "mbc", "att&ck"], default="both", help="Extractor that will be run" + ) + parser.add_argument( + "--output", + "-o", + type=str, + default=f"{dirname(__file__)}/linter-data.json", + help="Path to output file (lint.py will be looking for linter-data.json)", + ) + main(parser.parse_args(args=argv[1:])) From 370ad6cdd75217a85caf4f590766fb6a23fb466f Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Sat, 22 Jan 2022 15:43:28 +0100 Subject: [PATCH 07/11] docs: add code documentation and update changelog --- CHANGELOG.md | 2 ++ scripts/setup-linter-dependencies.py | 21 +++++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4fa0297d..703c1c39 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ ### New Features +- linter: validate ATT&CK/MBC categories and IDs #103 @kn0wl3dge + ### Breaking Changes ### New Rules (0) diff --git a/scripts/setup-linter-dependencies.py b/scripts/setup-linter-dependencies.py index eb299a8b..b11ecd4a 100644 --- a/scripts/setup-linter-dependencies.py +++ b/scripts/setup-linter-dependencies.py @@ -12,10 +12,18 @@ logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(me class MitreExtractor: + """ + This class extract Mitre techniques and sub techniques that are represented as "attack-pattern" in STIX format. + The STIX data is collected in JSON format by requesting the specified URL. + + url: must point to json stix location + kill_chain_name: mitre-attack, mitre-mbc... + """ url = "" kill_chain_name = "" def __init__(self): + """Download and store in memory the STIX data on instantiation.""" if self.kill_chain_name == "": raise ValueError(f"Kill chain name not specified in class {self.__class__.__name__}") @@ -28,7 +36,7 @@ class MitreExtractor: @staticmethod def _remove_deprecated_objetcs(stix_objects) -> list[AttackPattern]: - """Remove any revoked or deprecated objects from queries made to the data source""" + """Remove any revoked or deprecated objects from queries made to the data source.""" return list( filter( lambda x: x.get("x_mitre_deprecated", False) is False and x.get("revoked", False) is False, @@ -37,6 +45,7 @@ class MitreExtractor: ) def _get_tactics(self) -> list[dict]: + """Get tactics IDs from Mitre matrix.""" # Only one matrix for enterprise att&ck framework matrix = self._remove_deprecated_objetcs( self._memory_store.query( @@ -48,12 +57,13 @@ class MitreExtractor: return list(map(self._memory_store.get, matrix["tactic_refs"])) def _get_techniques_from_tactic(self, tactic: str) -> list[AttackPattern]: + """Get techniques and sub techniques from a Mitre tactic (kill_chain_phases->phase_name)""" techniques = self._remove_deprecated_objetcs( self._memory_store.query( [ Filter("type", "=", "attack-pattern"), Filter("kill_chain_phases.phase_name", "=", tactic), - Filter( # kill chain name for enterprise att&ck + Filter( "kill_chain_phases.kill_chain_name", "=", self.kill_chain_name ), ] @@ -62,6 +72,7 @@ class MitreExtractor: return techniques def _get_parent_technique_from_subtechnique(self, technique: AttackPattern) -> AttackPattern: + """Get parent technique of a sub technique using the technique ID TXXXX.YYY""" sub_id = technique["external_references"][0]["external_id"].split(".")[0] parent_technique = self._remove_deprecated_objetcs( self._memory_store.query( @@ -74,6 +85,9 @@ class MitreExtractor: return parent_technique def run(self) -> dict[str, dict[str, str]]: + """Iterate over every technique over every tactic. If the technique is a sub technique, then + we also search for the parent technique name. + """ logging.info("Starting extraction...") data: dict[str, dict[str, str]] = {} for tactic in self._get_tactics(): @@ -90,15 +104,18 @@ class MitreExtractor: class AttckExtractor(MitreExtractor): + """Extractor for the Mitre Enterprise Att&ck Framework.""" url = "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json" kill_chain_name = "mitre-attack" class MbcExtractor(MitreExtractor): + """Extractor for the Mitre Malware Behavior Catalog.""" url = "https://raw.githubusercontent.com/MBCProject/mbc-stix2/master/mbc/mbc.json" kill_chain_name = "mitre-mbc" def _get_tactics(self) -> list[dict]: + """Override _get_tactics to edit the tactic name for Micro-objective""" tactics = super(MbcExtractor, self)._get_tactics() # We don't want the Micro-objective string inside objective names for tactic in tactics: From c6ac239c5a226eb2ee4f3cb25d5c2445ac6b5718 Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Sat, 22 Jan 2022 15:48:24 +0100 Subject: [PATCH 08/11] linter: fix imports and codingstyle --- scripts/setup-linter-dependencies.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/setup-linter-dependencies.py b/scripts/setup-linter-dependencies.py index b11ecd4a..3c1e0025 100644 --- a/scripts/setup-linter-dependencies.py +++ b/scripts/setup-linter-dependencies.py @@ -1,13 +1,12 @@ -import argparse import json import logging -from os.path import dirname +import argparse from sys import argv +from os.path import dirname import requests from stix2 import Filter, MemoryStore, AttackPattern - logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s") @@ -19,6 +18,7 @@ class MitreExtractor: url: must point to json stix location kill_chain_name: mitre-attack, mitre-mbc... """ + url = "" kill_chain_name = "" @@ -63,9 +63,7 @@ class MitreExtractor: [ Filter("type", "=", "attack-pattern"), Filter("kill_chain_phases.phase_name", "=", tactic), - Filter( - "kill_chain_phases.kill_chain_name", "=", self.kill_chain_name - ), + Filter("kill_chain_phases.kill_chain_name", "=", self.kill_chain_name), ] ) ) @@ -105,12 +103,14 @@ class MitreExtractor: class AttckExtractor(MitreExtractor): """Extractor for the Mitre Enterprise Att&ck Framework.""" + url = "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json" kill_chain_name = "mitre-attack" class MbcExtractor(MitreExtractor): """Extractor for the Mitre Malware Behavior Catalog.""" + url = "https://raw.githubusercontent.com/MBCProject/mbc-stix2/master/mbc/mbc.json" kill_chain_name = "mitre-mbc" From 0c978a8defd9dc92d4cc91e23386f459125c536b Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Sat, 22 Jan 2022 17:10:55 +0100 Subject: [PATCH 09/11] scripts: fix typing issue in setup-linter-dependencies --- scripts/setup-linter-dependencies.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/scripts/setup-linter-dependencies.py b/scripts/setup-linter-dependencies.py index 3c1e0025..9ff3af9f 100644 --- a/scripts/setup-linter-dependencies.py +++ b/scripts/setup-linter-dependencies.py @@ -2,10 +2,11 @@ import json import logging import argparse from sys import argv +from typing import Dict, List from os.path import dirname import requests -from stix2 import Filter, MemoryStore, AttackPattern +from stix2 import Filter, MemoryStore, AttackPattern # type: ignore logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s") @@ -35,7 +36,7 @@ class MitreExtractor: self._memory_store = MemoryStore(stix_data=stix_json["objects"]) @staticmethod - def _remove_deprecated_objetcs(stix_objects) -> list[AttackPattern]: + def _remove_deprecated_objetcs(stix_objects) -> List[AttackPattern]: """Remove any revoked or deprecated objects from queries made to the data source.""" return list( filter( @@ -44,7 +45,7 @@ class MitreExtractor: ) ) - def _get_tactics(self) -> list[dict]: + def _get_tactics(self) -> List[Dict]: """Get tactics IDs from Mitre matrix.""" # Only one matrix for enterprise att&ck framework matrix = self._remove_deprecated_objetcs( @@ -56,7 +57,7 @@ class MitreExtractor: )[0] return list(map(self._memory_store.get, matrix["tactic_refs"])) - def _get_techniques_from_tactic(self, tactic: str) -> list[AttackPattern]: + def _get_techniques_from_tactic(self, tactic: str) -> List[AttackPattern]: """Get techniques and sub techniques from a Mitre tactic (kill_chain_phases->phase_name)""" techniques = self._remove_deprecated_objetcs( self._memory_store.query( @@ -82,12 +83,12 @@ class MitreExtractor: )[0] return parent_technique - def run(self) -> dict[str, dict[str, str]]: + def run(self) -> Dict[str, Dict[str, str]]: """Iterate over every technique over every tactic. If the technique is a sub technique, then we also search for the parent technique name. """ logging.info("Starting extraction...") - data: dict[str, dict[str, str]] = {} + data: Dict[str, Dict[str, str]] = {} for tactic in self._get_tactics(): data[tactic["name"]] = {} for technique in self._get_techniques_from_tactic(tactic["x_mitre_shortname"]): @@ -114,7 +115,7 @@ class MbcExtractor(MitreExtractor): url = "https://raw.githubusercontent.com/MBCProject/mbc-stix2/master/mbc/mbc.json" kill_chain_name = "mitre-mbc" - def _get_tactics(self) -> list[dict]: + def _get_tactics(self) -> List[Dict]: """Override _get_tactics to edit the tactic name for Micro-objective""" tactics = super(MbcExtractor, self)._get_tactics() # We don't want the Micro-objective string inside objective names From 377c805fe7dff3cc4baea2bc331237ff8ec8a313 Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Mon, 24 Jan 2022 22:48:59 +0100 Subject: [PATCH 10/11] linter: improve linter-data.json opening and add documentation - Open linter-data.json in byte mode - Add a comment explaining how to invoke the script --- scripts/lint.py | 5 ++-- scripts/setup-linter-dependencies.py | 34 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/scripts/lint.py b/scripts/lint.py index efb5a023..49ad6e5c 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -24,7 +24,6 @@ import difflib import hashlib import inspect import logging -import os.path import pathlib import argparse import itertools @@ -236,7 +235,7 @@ class InvalidAttckOrMbcTechnique(Lint): super(InvalidAttckOrMbcTechnique, self).__init__() try: - with open("scripts/linter-data.json", "r") as fd: + with open(f"{os.path.dirname(__file__)}/linter-data.json", "rb") as fd: self.data = json.load(fd) self.enabled_frameworks = self.data.keys() except BaseException: @@ -247,7 +246,7 @@ class InvalidAttckOrMbcTechnique(Lint): ) self.enabled_frameworks = [] - # This regex match the format defined in the recommendation attribute + # This regex matches the format defined in the recommendation attribute self.reg = re.compile("^([a-zA-Z| ]+)::(.*) \[([A-Za-z0-9.]+)\]$") def _entry_check(self, framework, category, entry, eid): diff --git a/scripts/setup-linter-dependencies.py b/scripts/setup-linter-dependencies.py index 9ff3af9f..326a684c 100644 --- a/scripts/setup-linter-dependencies.py +++ b/scripts/setup-linter-dependencies.py @@ -1,3 +1,37 @@ +""" +Generate capa linter-data.json, used to validate Att&ck/MBC IDs and names. + +Use the --extractor option to extract data from Att&ck or MBC (or both) frameworks. +Use the --output to choose the output json file. +By default, the script will create a linter-data.json in the scripts/ directory for both frameworks. + +Note: The capa rules linter will try to load from its default location (scripts/linter-data.json). + +Usage: + + usage: setup-linter-dependencies.py [-h] [--extractor {both,mbc,att&ck}] [--output OUTPUT] + + Setup linter dependencies. + + optional arguments: + -h, --help show this help message and exit + --extractor {both,mbc,att&ck} + Extractor that will be run + --output OUTPUT, -o OUTPUT + Path to output file (lint.py will be looking for linter-data.json) + + +Example: + + $ python3 setup-linter-dependencies.py + 2022-01-24 22:35:06,901 [INFO] Extracting Mitre Att&ck techniques... + 2022-01-24 22:35:06,901 [INFO] Downloading STIX data at: https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json + 2022-01-24 22:35:13,001 [INFO] Starting extraction... + 2022-01-24 22:35:39,395 [INFO] Extracting MBC behaviors... + 2022-01-24 22:35:39,395 [INFO] Downloading STIX data at: https://raw.githubusercontent.com/MBCProject/mbc-stix2/master/mbc/mbc.json + 2022-01-24 22:35:39,839 [INFO] Starting extraction... + 2022-01-24 22:35:42,632 [INFO] Writing results to linter-data.json +""" import json import logging import argparse From 2e8c2f40d6f8b01eea383268f7e62ed8049cc5ba Mon Sep 17 00:00:00 2001 From: Baptistin Boilot Date: Wed, 26 Jan 2022 00:11:01 +0100 Subject: [PATCH 11/11] linter: update linter-data.json with mitre att&ck references only --- scripts/linter-data.json | 729 --------------------------------------- 1 file changed, 729 deletions(-) diff --git a/scripts/linter-data.json b/scripts/linter-data.json index 5a06e519..b2b6e797 100644 --- a/scripts/linter-data.json +++ b/scripts/linter-data.json @@ -759,734 +759,5 @@ "T1529": "System Shutdown/Reboot", "T1565.002": "Data Manipulation::Transmitted Data Manipulation" } - }, - "mbc": { - "Anti-Behavioral Analysis": { - "B0007.009": "Sandbox Detection::Timing/Uptime Check", - "B0001.001": "Debugger Detection::API Hook Detection", - "B0007.005": "Sandbox Detection::Product Key/ID Testing", - "B0002.005": "Debugger Evasion::Code Integrity Check", - "B0001.035": "Debugger Detection::Process Environment Block BeingDebugged", - "B0007.004": "Sandbox Detection::Injected DLL Testing", - "B0005.003": "Emulator Evasion::Unusual/Undocumented API Calls", - "B0001.024": "Debugger Detection::SetHandleInformation", - "B0009.016": "Virtual Machine Detection::Modern Specs Check - USB drive", - "B0009.028": "Virtual Machine Detection::Unique Hardware/Firmware Check - MAC Address", - "F0003.003": "Hooking::Hook procedures", - "B0009.014": "Virtual Machine Detection::Modern Specs Check - Total physical memory", - "B0002.010": "Debugger Evasion::Import Obfuscation", - "F0001.010": "Software Packing::VMProtect", - "E1480.m07": "Execution Guardrails::Runs as Service", - "B0001.003": "Debugger Detection::CloseHandle", - "B0009.025": "Virtual Machine Detection::Unique Hardware/Firmware Check - I/O Communication Port", - "B0004": "Emulator Detection", - "B0009.006": "Virtual Machine Detection::Check Running Services", - "B0002.013": "Debugger Evasion::Malloc Use", - "B0009.015": "Virtual Machine Detection::Modern Specs Check - Drive size", - "B0001.017": "Debugger Detection::Page Exception Breakpoint Detection", - "B0009.004": "Virtual Machine Detection::Check Processes", - "B0001.012": "Debugger Detection::NtQueryInformationProcess", - "B0002.029": "Debugger Evasion::Thread Timeout", - "B0036.001": "Capture Evasion::Memory-only Payload", - "B0036": "Capture Evasion", - "B0005.004": "Emulator Evasion::Extra Loops/Time Locks", - "B0009.009": "Virtual Machine Detection::Check Windows", - "B0007": "Sandbox Detection", - "B0009.037": "Virtual Machine Detection::Instruction Testing - VMCPUID", - "B0006.009": "Memory Dump Evasion::Flow Opcode Obstruction", - "B0002.001": "Debugger Evasion::Block Interrupts", - "B0006.002": "Memory Dump Evasion::Erase the PE header", - "B0009.034": "Virtual Machine Detection::Instruction Testing - CPUID", - "B0003": "Dynamic Analysis Evasion", - "E1480.m06": "Execution Guardrails::Token Check", - "B0007.001": "Sandbox Detection::Check Clipboard Data", - "B0001.037": "Debugger Detection::Process Environment Block IsDebugged", - "B0006.001": "Memory Dump Evasion::Code Encryption in Memory", - "E1480.m05": "Execution Guardrails::Secure Triggers", - "F0001.011": "Software Packing::Themida", - "B0001.019": "Debugger Detection::Process Environment Block", - "B0002.025": "Debugger Evasion::Self-Unmapping", - "B0002.018": "Debugger Evasion::Pipeline Misdirection", - "B0002.030": "Debugger Evasion::Use Interrupts", - "B0002.023": "Debugger Evasion::Section Misalignment", - "F0001.002": "Software Packing::Standard Compression", - "B0005.001": "Emulator Evasion::Different Opcode Sets", - "B0009.003": "Virtual Machine Detection::Check Named System Objects", - "B0009.002": "Virtual Machine Detection::Check Memory Artifacts", - "B0003.003": "Dynamic Analysis Evasion::Delayed Execution", - "B0003.010": "Dynamic Analysis Evasion::Restart", - "B0002.002": "Debugger Evasion::Break Point Clearing", - "B0008": "Executable Code Virtualization", - "B0001.027": "Debugger Detection::TIB Aware", - "F0001.007": "Software Packing::Custom Compression of Data", - "B0001.004": "Debugger Detection::Debugger Artifacts", - "B0009.031": "Virtual Machine Detection::Instruction Testing - SGDT/SLDT (no pill)", - "B0036.002": "Capture Evasion::Encrypted Payloads", - "E1480.m03": "Execution Guardrails::GetVolumeInformation", - "B0001.028": "Debugger Detection::Timing/Delay Check", - "F0001.004": "Software Packing::Standard Compression of Data", - "B0001.005": "Debugger Detection::Hardware Breakpoints", - "F0001.003": "Software Packing::Standard Compression of Code", - "B0002.007": "Debugger Evasion::Get Base Indirectly", - "B0009": "Virtual Machine Detection", - "B0005": "Emulator Evasion", - "B0003.002": "Dynamic Analysis Evasion::Data Flood", - "B0001.023": "Debugger Detection::SeDebugPrivilege", - "B0002.016": "Debugger Evasion::Obfuscate Library Use", - "B0007.006": "Sandbox Detection::Screen Resolution Testing", - "F0003.005": "Hooking::Inline Hooking", - "B0009.036": "Virtual Machine Detection::Instruction Testing - RDTSC", - "B0006.004": "Memory Dump Evasion::SizeOfImage", - "B0003.005": "Dynamic Analysis Evasion::Drop Code", - "B0006.008": "Memory Dump Evasion::Feed Misinformation", - "B0009.010": "Virtual Machine Detection::Guest Process Testing", - "B0002.020": "Debugger Evasion::Relocate API Code", - "B0006": "Memory Dump Evasion", - "B0001.016": "Debugger Detection::OutputDebugString", - "B0002.011": "Debugger Evasion::Inlining", - "B0009.012": "Virtual Machine Detection::Human User Check", - "B0002.012": "Debugger Evasion::Loop Escapes", - "F0001.013": "Software Packing::ASPack", - "B0009.013": "Virtual Machine Detection::Modern Specs Check", - "F0001.008": "Software Packing::UPX", - "B0001.029": "Debugger Detection::TLS Callbacks", - "F0001.012": "Software Packing::Armadillo", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "B0001.014": "Debugger Detection::NtSetInformationThread", - "B0001.025": "Debugger Detection::Software Breakpoints", - "B0003.009": "Dynamic Analysis Evasion::Illusion", - "B0008.001": "Executable Code Virtualization::Multiple VMs", - "B0001.011": "Debugger Detection::Monitoring Thread", - "B0002.022": "Debugger Evasion::RtlAdjustPrivilege", - "B0001.013": "Debugger Detection::NtQueryObject", - "B0009.018": "Virtual Machine Detection::Modern Specs Check - Processor count", - "E1480": "Execution Guardrails", - "B0001": "Debugger Detection", - "B0002.015": "Debugger Evasion::Nanomites", - "B0002.024": "Debugger Evasion::Self-Debugging", - "B0004.002": "Emulator Detection::Check for WINE Version", - "B0001.015": "Debugger Detection::NtYieldExecution/SwitchToThread", - "B0009.005": "Virtual Machine Detection::Check Registry Keys", - "B0001.006": "Debugger Detection::Interrupt 0x2d", - "B0009.011": "Virtual Machine Detection::HTML5 Performance Object Check", - "B0001.018": "Debugger Detection::Parent Process", - "B0009.008": "Virtual Machine Detection::Check Virtual Devices", - "B0009.022": "Virtual Machine Detection::Check Windows - Title bars", - "B0009.023": "Virtual Machine Detection::Unique Hardware/Firmware Check", - "B0004.001": "Emulator Detection::Check for Emulator-related Files", - "B0001.036": "Debugger Detection::Process Environment Block NtGlobalFlag", - "B0009.026": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Name", - "B0007.002": "Sandbox Detection::Check Files", - "F0001.006": "Software Packing::Custom Compression of Code", - "B0003.007": "Dynamic Analysis Evasion::Hook File System", - "B0009.032": "Virtual Machine Detection::Instruction Testing - SMSW", - "F0003.002": "Hooking::Hook memory mapping APIs", - "B0009.007": "Virtual Machine Detection::Check Software", - "B0001.026": "Debugger Detection::Stack Canary", - "B0009.020": "Virtual Machine Detection::Check Windows - Window size", - "E1480.m04": "Execution Guardrails::Host Fingerprint Check", - "B0006.005": "Memory Dump Evasion::Tampering", - "B0001.034": "Debugger Detection::Anti-debugging Instructions", - "B0007.008": "Sandbox Detection::Timing/Date Check", - "B0001.030": "Debugger Detection::UnhandledExceptionFilter", - "B0002.026": "Debugger Evasion::Static Linking", - "B0001.002": "Debugger Detection::CheckRemoteDebuggerPresent", - "B0002.004": "Debugger Evasion::Change SizeOfImage", - "B0009.017": "Virtual Machine Detection::Modern Specs Check - Printer", - "B0002.006": "Debugger Evasion::Exception Misdirection", - "B0009.021": "Virtual Machine Detection::Check Windows - Unique windows", - "B0003.008": "Dynamic Analysis Evasion::Hook Interrupt", - "F0001.001": "Software Packing::Nested Packing", - "B0001.007": "Debugger Detection::Interrupt 1", - "B0001.032": "Debugger Detection::Timing/Delay Check GetTickCount", - "B0001.031": "Debugger Detection::WudfIsAnyDebuggerPresent", - "B0009.038": "Virtual Machine Detection::Instruction Testing - VPCEXT", - "B0002": "Debugger Evasion", - "B0009.024": "Virtual Machine Detection::Unique Hardware/Firmware Check - BIOS", - "B0003.006": "Dynamic Analysis Evasion::Encode File", - "B0006.007": "Memory Dump Evasion::On-the-Fly APIs", - "B0009.019": "Virtual Machine Detection::Modern Specs Check - Keyboard layout", - "B0009.033": "Virtual Machine Detection::Instruction Testing - STR", - "E1480.m01": "Execution Guardrails::Deposited Keys", - "F0003": "Hooking", - "E1480.m02": "Execution Guardrails::Environmental Keys", - "B0009.001": "Virtual Machine Detection::Check File and Directory Artifacts", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "B0002.014": "Debugger Evasion::Modify PE Header", - "B0003.001": "Dynamic Analysis Evasion::Alternative ntdll.dll", - "B0002.003": "Debugger Evasion::Byte Stealing", - "B0009.035": "Virtual Machine Detection::Instruction Testing - IN", - "B0009.030": "Virtual Machine Detection::Instruction Testing - SIDT (red pill)", - "B0001.021": "Debugger Detection::ProcessHeap", - "B0007.007": "Sandbox Detection::Self Check", - "B0002.027": "Debugger Evasion::Stolen API Code", - "B0004.003": "Emulator Detection::Check Emulator-related Registry Keys", - "B0009.029": "Virtual Machine Detection::Instruction Testing", - "B0002.017": "Debugger Evasion::Parallel Threads", - "B0005.002": "Emulator Evasion::Undocumented Opcodes", - "F0001.005": "Software Packing::Custom Compression", - "B0002.021": "Debugger Evasion::Return Obfuscation", - "B0009.027": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Location", - "B0006.003": "Memory Dump Evasion::Hide virtual memory", - "B0001.009": "Debugger Detection::Memory Breakpoints", - "B0001.010": "Debugger Detection::Memory Write Watching", - "B0036.003": "Capture Evasion::Multiple Stages of Loaders", - "B0003.004": "Dynamic Analysis Evasion::Demo Mode", - "B0004.004": "Emulator Detection::Failed Network Connections", - "B0001.008": "Debugger Detection::IsDebuggerPresent", - "B0001.033": "Debugger Detection::Timing/Delay Check QueryPerformanceCounter", - "F0001.009": "Software Packing::Confuser", - "B0002.019": "Debugger Evasion::Pre-Debug", - "F0001": "Software Packing", - "B0001.020": "Debugger Detection::Process Jobs" - }, - "Anti-Static Analysis": { - "B0032.004": "Executable Code Obfuscation::Fake Code Insertion", - "B0032.009": "Executable Code Obfuscation::Entry Point Obfuscation", - "B0032.014": "Executable Code Obfuscation::Interleaving Code", - "F0001.010": "Software Packing::VMProtect", - "B0032.001": "Executable Code Obfuscation::API Hashing", - "B0032.017": "Executable Code Obfuscation::Stack Strings", - "B0032.006": "Executable Code Obfuscation::Thunk Code Insertion", - "B0032.002": "Executable Code Obfuscation::Code Insertion", - "B0034.002": "Executable Code Optimization::Minification", - "F0001.011": "Software Packing::Themida", - "B0032.010": "Executable Code Obfuscation::Guard Pages", - "B0032.013": "Executable Code Obfuscation::Instruction Overlap", - "B0032.015": "Executable Code Obfuscation::Merged Code Sections", - "F0001.002": "Software Packing::Standard Compression", - "B0032.003": "Executable Code Obfuscation::Dead Code Insertion", - "B0008": "Executable Code Virtualization", - "F0001.007": "Software Packing::Custom Compression of Data", - "B0012": "Disassembler Evasion", - "B0010.002": "Call Graph Generation Evasion::Invoke NTDLL System Calls via Encoded Table", - "B0012.002": "Disassembler Evasion::Conditional Misdirection", - "F0001.004": "Software Packing::Standard Compression of Data", - "F0001.003": "Software Packing::Standard Compression of Code", - "B0032.007": "Executable Code Obfuscation::Junk Code Insertion", - "B0032.008": "Executable Code Obfuscation::Data Value Obfuscation", - "B0012.003": "Disassembler Evasion::Value Dependent Jumps", - "B0012.005": "Disassembler Evasion::VBA Stomping", - "B0012.001": "Disassembler Evasion::Argument Obfuscation", - "E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm", - "F0001.013": "Software Packing::ASPack", - "F0001.008": "Software Packing::UPX", - "F0001.012": "Software Packing::Armadillo", - "B0008.001": "Executable Code Virtualization::Multiple VMs", - "B0032": "Executable Code Obfuscation", - "E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm", - "B0032.012": "Executable Code Obfuscation::Import Compression", - "F0001.006": "Software Packing::Custom Compression of Code", - "E1027": "Obfuscated Files or Information", - "B0032.016": "Executable Code Obfuscation::Structured Exception Handling (SEH)", - "B0032.005": "Executable Code Obfuscation::Jump Insertion", - "E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm", - "B0010.001": "Call Graph Generation Evasion::Two-layer Function Return", - "F0001.001": "Software Packing::Nested Packing", - "B0034": "Executable Code Optimization", - "B0010": "Call Graph Generation Evasion", - "B0032.011": "Executable Code Obfuscation::Import Address Table Obfuscation", - "B0034.001": "Executable Code Optimization::Jump/Call Absolute Address", - "B0012.004": "Disassembler Evasion::Variable Recomposition", - "E1027.m06": "Obfuscated Files or Information::Encryption of Code", - "F0001.005": "Software Packing::Custom Compression", - "B0032.018": "Executable Code Obfuscation::Symbol Obfuscation", - "E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm", - "E1027.m07": "Obfuscated Files or Information::Encryption of Data", - "F0001.009": "Software Packing::Confuser", - "F0001": "Software Packing" - }, - "Collection": { - "F0003.003": "Hooking::Hook procedures", - "E1056": "Input Capture", - "F0002.001": "Keylogging::Application Hook", - "E1056.m01": "Input Capture::Mouse Events", - "B0028.002": "Cryptocurrency::Ethereum", - "F0003.005": "Hooking::Inline Hooking", - "F0002": "Keylogging", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "B0028": "Cryptocurrency", - "F0002.002": "Keylogging::Polling", - "F0003.002": "Hooking::Hook memory mapping APIs", - "F0003": "Hooking", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "E1113.m01": "Screen Capture::WinAPI", - "E1113": "Screen Capture", - "B0028.001": "Cryptocurrency::Bitcoin", - "B0028.003": "Cryptocurrency::Zcash" - }, - "Command and Control": { - "B0030.001": "C2 Communication::Send Data", - "B0030.010": "C2 Communication::Request Email Address List", - "B0030": "C2 Communication", - "B0030.005": "C2 Communication::Check for Payload", - "B0030.008": "C2 Communication::Request Command", - "B0031": "Domain Name Generation", - "B0030.002": "C2 Communication::Receive Data", - "B0030.007": "C2 Communication::Send Heartbeat", - "E1105": "Remote File Copy", - "B0030.009": "C2 Communication::Request Email Template", - "B0030.004": "C2 Communication::Client to Server File Transfer", - "B0030.003": "C2 Communication::Server to Client File Transfer", - "B0030.006": "C2 Communication::Send System Information" - }, - "Credential Access": { - "F0003.003": "Hooking::Hook procedures", - "E1056": "Input Capture", - "F0002.001": "Keylogging::Application Hook", - "E1056.m01": "Input Capture::Mouse Events", - "B0028.002": "Cryptocurrency::Ethereum", - "F0003.005": "Hooking::Inline Hooking", - "F0002": "Keylogging", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "B0028": "Cryptocurrency", - "F0002.002": "Keylogging::Polling", - "F0003.002": "Hooking::Hook memory mapping APIs", - "F0003": "Hooking", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "E1113.m01": "Screen Capture::WinAPI", - "E1113": "Screen Capture", - "B0028.001": "Cryptocurrency::Bitcoin", - "B0028.003": "Cryptocurrency::Zcash" - }, - "Defense Evasion": { - "F0009.001": "Component Firmware::Router Firmware", - "E1014.m05": "Rootkit::Hide Userspace Libraries", - "F0003.003": "Hooking::Hook procedures", - "F0004.007": "Disable or Evade Security Tools::Bypass Windows File Protection", - "F0001.010": "Software Packing::VMProtect", - "E1480.m07": "Execution Guardrails::Runs as Service", - "F0005.002": "Hidden Files and Directories::Location", - "E1014.m04": "Rootkit::Hide Threads", - "E1014.m06": "Rootkit::Prevent API Unhooking", - "F0004.008": "Disable or Evade Security Tools::Heavens Gate", - "B0040.001": "Covert Location::Hide Data in Registry", - "F0005": "Hidden Files and Directories", - "E1055": "Process Injection", - "E1480.m06": "Execution Guardrails::Token Check", - "B0029.001": "Polymorphic Code::Packer Stub", - "E1480.m05": "Execution Guardrails::Secure Triggers", - "F0001.011": "Software Packing::Themida", - "F0007.001": "Self Deletion::COMSPEC Environment Variable", - "F0001.002": "Software Packing::Standard Compression", - "E1014.m11": "Rootkit::Prevent Memory Access", - "F0013": "Bootkit", - "F0004.004": "Disable or Evade Security Tools::AMSI Bypass", - "F0001.007": "Software Packing::Custom Compression of Data", - "B0029.002": "Polymorphic Code::Call Indirections", - "E1480.m03": "Execution Guardrails::GetVolumeInformation", - "F0001.004": "Software Packing::Standard Compression of Data", - "F0001.003": "Software Packing::Standard Compression of Code", - "E1478": "Install Insecure or Malicious Configuration", - "E1014.m09": "Rootkit::Prevent File Access", - "B0040.002": "Covert Location::Steganography", - "F0009": "Component Firmware", - "B0027.002": "Alternative Installation Location::Registry Install", - "F0003.005": "Hooking::Inline Hooking", - "E1014.m07": "Rootkit::Prevent Registry Access", - "B0037": "Bypass Data Execution Prevention", - "B0029.003": "Polymorphic Code::Code Reordering", - "E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm", - "F0007": "Self Deletion", - "B0027": "Alternative Installation Location", - "F0001.013": "Software Packing::ASPack", - "F0001.008": "Software Packing::UPX", - "F0001.012": "Software Packing::Armadillo", - "E1014.m08": "Rootkit::Prevent Registry Deletion", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm", - "E1480": "Execution Guardrails", - "F0004.002": "Disable or Evade Security Tools::Disable System File Overwrite Protection", - "F0005.004": "Hidden Files and Directories::Timestamp", - "E1014.m10": "Rootkit::Prevent File Deletion", - "F0005.001": "Hidden Files and Directories::Extension", - "F0001.006": "Software Packing::Custom Compression of Code", - "E1014.m02": "Rootkit::Hide Services", - "F0003.002": "Hooking::Hook memory mapping APIs", - "E1055.m02": "Process Injection::Injection and Persistence via Registry Modification", - "E1480.m04": "Execution Guardrails::Host Fingerprint Check", - "F0004.001": "Disable or Evade Security Tools::Disable Kernel Patch Protection", - "B0027.001": "Alternative Installation Location::Fileless Malware", - "F0004.006": "Disable or Evade Security Tools::Force Lazy Writing", - "E1055.m03": "Process Injection::Injection using Shims", - "E1027": "Obfuscated Files or Information", - "E1014.m12": "Rootkit::Prevent Native API Hooking", - "B0037.001": "Bypass Data Execution Prevention::ROP Chains", - "E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm", - "F0001.001": "Software Packing::Nested Packing", - "E1014": "Rootkit", - "F0004.005": "Disable or Evade Security Tools::Modify Policy", - "E1014.m01": "Rootkit::Hide Kernel Modules", - "E1480.m01": "Execution Guardrails::Deposited Keys", - "E1112": "Modify Registry", - "F0003": "Hooking", - "E1480.m02": "Execution Guardrails::Environmental Keys", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "F0004.003": "Disable or Evade Security Tools::Unhook APIs", - "F0005.003": "Hidden Files and Directories::Attribute", - "E1027.m06": "Obfuscated Files or Information::Encryption of Code", - "F0006": "Indicator Blocking", - "F0001.005": "Software Packing::Custom Compression", - "E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx", - "B0040": "Covert Location", - "E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm", - "F0006.001": "Indicator Blocking::Remove SMS Warning Messages", - "B0029": "Polymorphic Code", - "F0004": "Disable or Evade Security Tools", - "E1027.m07": "Obfuscated Files or Information::Encryption of Data", - "F0001.009": "Software Packing::Confuser", - "F0001": "Software Packing" - }, - "Discovery": { - "E1010": "Application Window Discovery", - "B0043": "Taskbar Discovery", - "B0013.007": "Analysis Tool Discovery::Process detection - Sandboxes", - "B0013.001": "Analysis Tool Discovery::Process detection", - "B0013.009": "Analysis Tool Discovery::Known Window", - "B0013.003": "Analysis Tool Discovery::Process detection - SysInternals Suite Tools", - "B0013.006": "Analysis Tool Discovery::Process detection - PE Utilities", - "B0013.005": "Analysis Tool Discovery::Process detection - Process Utilities", - "B0013": "Analysis Tool Discovery", - "E1083.m01": "File and Directory Discovery::Log File", - "B0013.002": "Analysis Tool Discovery::Process detection - Debuggers", - "B0013.004": "Analysis Tool Discovery::Process detection - PCAP Utilities", - "B0014": "SMTP Connection Discovery", - "E1010.m01": "Application Window Discovery::Window Text", - "E1082": "System Information Discovery", - "E1083": "File and Directory Discovery", - "B0013.008": "Analysis Tool Discovery::Known File Location", - "B0038": "Self Discovery", - "E1082.m01": "System Information Discovery::Generate Windows Exception" - }, - "Execution": { - "E1203.m05": "Exploitation for Client Execution::Sysinternals", - "E1203.m06": "Exploitation for Client Execution::Windows Utilities", - "B0020": "Send Email", - "B0011.007": "Remote Commands::Upload File", - "E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols (RDP)", - "B0011.005": "Remote Commands::Sleep", - "B0021": "Send Poisoned Text Message", - "E1203.m02": "Exploitation for Client Execution::Java-based Web Servers", - "B0024": "Prevent Concurrent Execution", - "B0011.006": "Remote Commands::Uninstall", - "B0011.003": "Remote Commands::Execute", - "E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers", - "B0011.004": "Remote Commands::Shutdown", - "B0011": "Remote Commands", - "E1203": "Exploitation for Client Execution", - "E1204": "User Interaction", - "E1059": "Command and Scripting Interpreter", - "B0025": "Conditional Execution", - "B0011.002": "Remote Commands::Download File", - "B0023": "Install Additional Program", - "E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products", - "B0025.001": "Conditional Execution::Suicide Exit" - }, - "Exfiltration": { - "E1560": "Archive Collected Data", - "E1560.m04": "Archive Collected Data::Encoding - Custom Encoding", - "E1020": "Automated Exfiltration", - "E1560.m06": "Archive Collected Data::Encryption - Custom Encryption", - "E1560.m05": "Archive Collected Data::Encryption - Standard Encryption", - "E1020.m01": "Automated Exfiltration::Exfiltrate via File Hosting Service", - "E1560.m03": "Archive Collected Data::Encoding - Standard Encoding", - "E1560.m02": "Archive Collected Data::Encryption", - "E1560.m01": "Archive Collected Data::Encoding" - }, - "Impact": { - "F0009.001": "Component Firmware::Router Firmware", - "B0017": "Destroy Hardware", - "E1203.m05": "Exploitation for Client Execution::Sysinternals", - "E1203.m06": "Exploitation for Client Execution::Windows Utilities", - "E1190": "Exploit Kit Behavior", - "F0014": "Disk Content Wipe", - "E1485": "Data Destruction", - "E1486": "Data Encrypted for Impact", - "F0014.001": "Disk Content Wipe::Delete Shadow Drive", - "E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols (RDP)", - "B0019": "Manipulate Network Traffic", - "E1203.m02": "Exploitation for Client Execution::Java-based Web Servers", - "E1485.m03": "Data Destruction::Delete Application/Software", - "F0009": "Component Firmware", - "E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers", - "E1472.m02": "Generate Fraudulent Advertising Revenue::Advertisement Replacement Fraud", - "E1203": "Exploitation for Client Execution", - "B0039": "Spamming", - "B0042": "Modify Hardware", - "B0018.002": "Resource Hijacking::Cryptojacking", - "B0042.003": "Modify Hardware::Printer", - "B0022.001": "Remote Access::Reverse Shell", - "B0018.001": "Resource Hijacking::Password Cracking", - "E1485.m02": "Data Destruction::Empty Recycle Bin", - "B0033": "Denial of Service", - "B0016": "Compromise Data Integrity", - "E1472.m01": "Generate Fraudulent Advertising Revenue::Click Hijacking", - "B0022": "Remote Access", - "B0042.001": "Modify Hardware::CDROM", - "B0042.002": "Modify Hardware::Mouse", - "E1510": "Clipboard Modification", - "E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products", - "B0018": "Resource Hijacking", - "E1472": "Generate Fraudulent Advertising Revenue" - }, - "Lateral Movement": { - "E1195.m02": "Supply Chain Compromise::Exploit Private APIs", - "B0020": "Send Email", - "E1195": "Supply Chain Compromise", - "B0026": "Malicious Network Driver", - "B0021": "Send Poisoned Text Message", - "E1105": "Remote File Copy", - "E1195.m01": "Supply Chain Compromise::Abuse Enterprise Certificates" - }, - "Persistence": { - "F0009.001": "Component Firmware::Router Firmware", - "F0003.003": "Hooking::Hook procedures", - "F0005.002": "Hidden Files and Directories::Location", - "F0005": "Hidden Files and Directories", - "F0012": "Registry Run Keys / Startup Folder", - "B0026": "Malicious Network Driver", - "F0013": "Bootkit", - "F0011": "Modify Existing Service", - "E1478": "Install Insecure or Malicious Configuration", - "F0009": "Component Firmware", - "F0003.005": "Hooking::Inline Hooking", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "E1105": "Remote File Copy", - "B0022.001": "Remote Access::Reverse Shell", - "F0005.004": "Hidden Files and Directories::Timestamp", - "F0005.001": "Hidden Files and Directories::Extension", - "B0035": "Shutdown Event", - "F0003.002": "Hooking::Hook memory mapping APIs", - "F0010.001": "Kernel Modules and Extensions::Device Driver", - "B0022": "Remote Access", - "E1112": "Modify Registry", - "F0010": "Kernel Modules and Extensions", - "F0003": "Hooking", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "F0005.003": "Hidden Files and Directories::Attribute" - }, - "Privilege Escalation": { - "F0003.003": "Hooking::Hook procedures", - "E1055": "Process Injection", - "F0011": "Modify Existing Service", - "F0003.005": "Hooking::Inline Hooking", - "F0003.001": "Hooking::Patch MmGetPhysicalMemoryRanges", - "F0003.002": "Hooking::Hook memory mapping APIs", - "E1055.m02": "Process Injection::Injection and Persistence via Registry Modification", - "E1055.m03": "Process Injection::Injection using Shims", - "F0010.001": "Kernel Modules and Extensions::Device Driver", - "F0010": "Kernel Modules and Extensions", - "F0003": "Hooking", - "F0003.004": "Hooking::Import Address Hooking (IAT) Hooking", - "E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx" - }, - "Communication": { - "C0005.002": "WinINet::InternetOpen", - "C0012.002": "SMTP Communication::Request", - "C0011.005": "DNS Communication::Resolve Free Hosting Domain", - "C0003.004": "Interprocess Communication::Write Pipe", - "C0002.012": "HTTP Communication::Create Request", - "C0002.013": "HTTP Communication::Set Header", - "C0002.001": "HTTP Communication::Server", - "C0002.002": "HTTP Communication::Client", - "C0014.001": "ICMP Communication::Generate Traffic", - "C0001.017": "Socket Communication::Receive UDP Data", - "C0002.015": "HTTP Communication::Receive Request", - "C0011": "DNS Communication", - "C0002.008": "HTTP Communication::WinHTTP", - "C0002.018": "HTTP Communication::Start Server", - "C0002.011": "HTTP Communication::Extract Body", - "C0012.001": "SMTP Communication::Server Connect", - "C0001.008": "Socket Communication::TCP Client", - "C0002.004": "HTTP Communication::Open URL", - "C0002.006": "HTTP Communication::Download URL", - "C0012": "SMTP Communication", - "C0011.002": "DNS Communication::Server Connect", - "C0001.014": "Socket Communication::Send TCP Data", - "C0002.009": "HTTP Communication::Connect to Server", - "C0005.004": "WinINet::InternetReadFile", - "C0002.003": "HTTP Communication::Send Request", - "C0002.005": "HTTP Communication::Send Data", - "C0004": "FTP Communication", - "C0001.012": "Socket Communication::Get Socket Status", - "C0002.017": "HTTP Communication::Get Response", - "C0001.011": "Socket Communication::Create TCP Socket", - "C0001": "Socket Communication", - "C0005": "WinINet", - "C0002.014": "HTTP Communication::Read Header", - "C0001.003": "Socket Communication::Create Socket", - "C0014.002": "ICMP Communication::Echo Request", - "C0002.016": "HTTP Communication::Send Response", - "C0001.005": "Socket Communication::Start TCP Server", - "C0005.001": "WinINet::InternetConnect", - "C0001.007": "Socket Communication::Send Data", - "C0001.009": "Socket Communication::Initialize Winsock Library", - "C0001.013": "Socket Communication::UDP Client", - "C0001.010": "Socket Communication::Create UDP Socket", - "C0001.015": "Socket Communication::Send UDP Data", - "C0002.007": "HTTP Communication::WinINet", - "C0005.003": "WinINet::InternetOpenURL", - "C0004.001": "FTP Communication::Send File", - "C0003.002": "Interprocess Communication::Connect Pipe", - "C0001.002": "Socket Communication::TCP Server", - "C0001.016": "Socket Communication::Receive TCP Data", - "C0001.006": "Socket Communication::Receive Data", - "C0001.004": "Socket Communication::Connect Socket", - "C0003.003": "Interprocess Communication::Read Pipe", - "C0002": "HTTP Communication", - "C0014": "ICMP Communication", - "C0011.001": "DNS Communication::Resolve", - "C0003": "Interprocess Communication", - "C0002.010": "HTTP Communication::IWebBrowser", - "C0011.004": "DNS Communication::Resolve TLD", - "C0001.001": "Socket Communication::Set Socket Config", - "C0005.005": "WinINet::InternetWriteFile", - "C0011.003": "DNS Communication::DDNS Domain Connect", - "C0003.001": "Interprocess Communication::Create Pipe", - "C0004.002": "FTP Communication::WinINet" - }, - "Data": { - "C0030.005": "Non-Cryptographic Hash::FNV", - "C0026.001": "Encode Data::Base64", - "C0053.002": "Decode Data::XOR", - "C0020": "Use Constant", - "C0030.003": "Non-Cryptographic Hash::Fast-Hash", - "C0024.002": "Compress Data::IEncodingFilterFactory", - "C0025.002": "Decompress Data::IEncodingFilterFactory", - "C0032.004": "Checksum::Verhoeff", - "C0032.005": "Checksum::Adler", - "C0025.001": "Decompress Data::QuickLZ", - "C0060": "Compression Library", - "C0032": "Checksum", - "C0024.001": "Compress Data::QuickLZ", - "C0026.002": "Encode Data::XOR", - "C0030": "Non-Cryptographic Hash", - "C0032.001": "Checksum::CRC32", - "C0053": "Decode Data", - "C0053.001": "Decode Data::Base64", - "C0019": "Check String", - "C0030.004": "Non-Cryptographic Hash::dhash", - "C0026": "Encode Data", - "C0032.003": "Checksum::BSD", - "C0030.002": "Non-Cryptographic Hash::pHash", - "C0030.001": "Non-Cryptographic Hash::MurmurHash", - "C0032.002": "Checksum::Luhn", - "C0058": "Modulo", - "C0024": "Compress Data", - "C0025": "Decompress Data" - }, - "Hardware": { - "C0057": "Simulate Hardware", - "C0057.001": "Simulate Hardware::Ctrl-Alt-Del", - "C0023": "Load Driver", - "C0037": "Install Driver", - "C0057.002": "Simulate Hardware::Mouse Click" - }, - "File System": { - "C0016.001": "Create File::Create Office Document", - "C0052": "Writes File", - "C0049": "Get File Attributes", - "C0046": "Create Directory", - "C0015": "Alter File Extension", - "C0050": "Set File Attributes", - "C0016": "Create File", - "C0056": "Read Virtual Disk", - "C0051": "Read File", - "C0015.001": "Alter File Extension::Append Extension", - "C0045": "Copy File", - "C0016.002": "Create File::Create Ransomware File", - "C0047": "Delete File", - "C0048": "Delete Directory" - }, - "Cryptography": { - "C0027.002": "Encrypt Data::Blowfish", - "C0027.014": "Encrypt Data::Block Cipher", - "C0031.006": "Decrypt Data::HC-128", - "C0031": "Decrypt Data", - "C0029": "Cryptographic Hash", - "C0027.010": "Encrypt Data::RC6", - "C0027.001": "Encrypt Data::AES", - "C0021": "Generate Pseudo-random Sequence", - "C0027": "Encrypt Data", - "C0031.008": "Decrypt Data::RC4", - "C0021.001": "Generate Pseudo-random Sequence::GetTickCount", - "C0031.001": "Decrypt Data::AES", - "C0028.001": "Encryption Key::Import Public Key", - "C0027.003": "Encrypt Data::Camellia", - "C0029.002": "Cryptographic Hash::SHA1", - "C0028.002": "Encryption Key::RC4 KSA", - "C0027.006": "Encrypt Data::HC-128", - "C0031.002": "Decrypt Data::Block Cipher", - "C0027.008": "Encrypt Data::Sosemanuk", - "C0028": "Encryption Key", - "C0029.004": "Cryptographic Hash::SHA224", - "C0031.013": "Decrypt Data::Stream Cipher", - "C0031.011": "Decrypt Data::Skipjack", - "C0021.004": "Generate Pseudo-random Sequence::RC4 PRGA", - "C0029.001": "Cryptographic Hash::MD5", - "C0029.003": "Cryptographic Hash::SHA256", - "C0031.014": "Decrypt Data::Twofish", - "C0029.006": "Cryptographic Hash::Snefru", - "C0031.003": "Decrypt Data::Blowfish", - "C0027.011": "Encrypt Data::RSA", - "C0031.005": "Decrypt Data::3DES", - "C0031.004": "Decrypt Data::Camellia", - "C0027.012": "Encrypt Data::Stream Cipher", - "C0027.007": "Encrypt Data::HC-256", - "C0027.004": "Encrypt Data::3DES", - "C0021.005": "Generate Pseudo-random Sequence::Mersenne Twister", - "C0059": "Crypto Library", - "C0029.005": "Cryptographic Hash::Tiger", - "C0031.010": "Decrypt Data::RSA", - "C0031.012": "Decrypt Data::Sosemanuk", - "C0021.003": "Generate Pseudo-random Sequence::Use API", - "C0027.013": "Encrypt Data::Skipjack", - "C0031.007": "Decrypt Data::HC-256", - "C0027.005": "Encrypt Data::Twofish", - "C0021.002": "Generate Pseudo-random Sequence::rand", - "C0027.009": "Encrypt Data::RC4", - "C0031.009": "Decrypt Data::RC6" - }, - "Process": { - "C0018": "Terminate Process", - "C0055": "Suspend Thread", - "C0017": "Create Process", - "C0017.002": "Create Process::Create Process via WMI", - "C0017.001": "Create Process::Create Process via Shellcode", - "C0038": "Create Thread", - "C0039": "Terminate Thread", - "C0043": "Check Mutex", - "C0041": "Set Thread Local Storage Value", - "C0022.001": "Synchronization::Create Mutex", - "C0017.003": "Create Process::Create Suspended Process", - "C0042": "Create Mutex", - "C0022": "Synchronization", - "C0054": "Resume Thread", - "C0040": "Allocate Thread Local Storage" - }, - "Memory": { - "C0010": "Overflow Buffer", - "C0008": "Change Memory Protection", - "C0006": "Heap Spray", - "C0007": "Allocate Memory", - "C0008.002": "Change Memory Protection::Executable Heap", - "C0008.001": "Change Memory Protection::Executable Stack", - "C0009": "Stack Pivot", - "C0044": "Free Memory" - }, - "Operating System": { - "C0036.006": "Registry::Query Registry Value", - "C0035": "Wallpaper", - "C0034.001": "Environment Variable::Set Variable", - "C0036.002": "Registry::Delete Registry Key", - "C0036.001": "Registry::Set Registry Key", - "C0036.007": "Registry::Delete Registry Value", - "C0036.003": "Registry::Open Registry Key", - "C0036.005": "Registry::Query Registry Key", - "C0033": "Console", - "C0034": "Environment Variable", - "C0036": "Registry", - "C0036.004": "Registry::Create Registry Key" - } } } \ No newline at end of file