diff --git a/scripts/lint.py b/scripts/lint.py index 49ad6e5c..3cd2686e 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -247,7 +247,7 @@ class InvalidAttckOrMbcTechnique(Lint): self.enabled_frameworks = [] # This regex matches the format defined in the recommendation attribute - self.reg = re.compile("^([a-zA-Z| ]+)::(.*) \[([A-Za-z0-9.]+)\]$") + self.reg = re.compile("^([\w\s-]+)::(.+) \[([A-Za-z0-9.]+)\]$") def _entry_check(self, framework, category, entry, eid): if category not in self.data[framework].keys(): diff --git a/scripts/linter-data.json b/scripts/linter-data.json index b2b6e797..bbf448d4 100644 --- a/scripts/linter-data.json +++ b/scripts/linter-data.json @@ -759,5 +759,822 @@ "T1529": "System Shutdown/Reboot", "T1565.002": "Data Manipulation::Transmitted Data Manipulation" } + }, + "mbc": { + "Anti-Behavioral Analysis": { + "B0007.009": "Sandbox Detection::Timing/Uptime Check", + "B0001.022": "Debugger Detection::RtlAdjustPrivilege", + "B0001.001": "Debugger Detection::API Hook Detection", + "B0007.005": "Sandbox Detection::Product Key/ID Testing", + "B0002.005": "Debugger Evasion::Code Integrity Check", + "B0001.035": "Debugger Detection::Process Environment Block BeingDebugged", + "B0007.004": "Sandbox Detection::Injected DLL Testing", + "B0005.003": "Emulator Evasion::Unusual/Undocumented API Calls", + "B0001.024": "Debugger Detection::SetHandleInformation", + "B0009.016": "Virtual Machine Detection::Modern Specs Check - USB drive", + "B0009.028": "Virtual Machine Detection::Unique Hardware/Firmware Check - MAC Address", + "B0009.014": "Virtual Machine Detection::Modern Specs Check - Total physical memory", + "B0002.010": "Debugger Evasion::Import Obfuscation", + "F0001.010": "Software Packing::VMProtect", + "B0001.003": "Debugger Detection::CloseHandle", + "B0006.006": "Memory Dump Evasion::Guard Pages", + "B0009.025": "Virtual Machine Detection::Unique Hardware/Firmware Check - I/O Communication Port", + "B0025.004": "Conditional Execution::Host Fingerprint Check", + "B0002.009": "Debugger Evasion::Hook Interrupt", + "B0004": "Emulator Detection", + "B0002.008": "Debugger Evasion::Guard Pages", + "B0009.006": "Virtual Machine Detection::Check Running Services", + "B0002.013": "Debugger Evasion::Malloc Use", + "F0003.006": "Hooking::Export Address Table (EAT) Hooking", + "B0009.015": "Virtual Machine Detection::Modern Specs Check - Drive size", + "B0001.017": "Debugger Detection::Page Exception Breakpoint Detection", + "B0009.004": "Virtual Machine Detection::Check Processes", + "B0001.012": "Debugger Detection::NtQueryInformationProcess", + "B0002.029": "Debugger Evasion::Thread Timeout", + "B0036.001": "Capture Evasion::Memory-only Payload", + "F0003.001": "Hooking::Import Address Table (IAT) Hooking", + "B0036": "Capture Evasion", + "B0002.028": "Debugger Evasion::Tampering", + "B0005.004": "Emulator Evasion::Extra Loops/Time Locks", + "B0009.009": "Virtual Machine Detection::Check Windows", + "F0003.005": "Hooking::Shadow SDT Hooking", + "B0007": "Sandbox Detection", + "B0009.037": "Virtual Machine Detection::Instruction Testing - VMCPUID", + "B0006.009": "Memory Dump Evasion::Flow Opcode Obstruction", + "B0002.001": "Debugger Evasion::Block Interrupts", + "B0006.002": "Memory Dump Evasion::Erase the PE header", + "B0009.034": "Virtual Machine Detection::Instruction Testing - CPUID", + "B0003": "Dynamic Analysis Evasion", + "B0007.001": "Sandbox Detection::Check Clipboard Data", + "B0001.037": "Debugger Detection::Process Environment Block IsDebugged", + "B0006.001": "Memory Dump Evasion::Code Encryption in Memory", + "F0001.011": "Software Packing::Themida", + "B0001.019": "Debugger Detection::Process Environment Block", + "B0002.025": "Debugger Evasion::Self-Unmapping", + "B0002.018": "Debugger Evasion::Pipeline Misdirection", + "B0002.030": "Debugger Evasion::Use Interrupts", + "B0002.023": "Debugger Evasion::Section Misalignment", + "F0001.002": "Software Packing::Standard Compression", + "B0005.001": "Emulator Evasion::Different Opcode Sets", + "B0009.003": "Virtual Machine Detection::Check Named System Objects", + "B0009.002": "Virtual Machine Detection::Check Memory Artifacts", + "B0003.003": "Dynamic Analysis Evasion::Delayed Execution", + "B0003.010": "Dynamic Analysis Evasion::Restart", + "B0002.002": "Debugger Evasion::Break Point Clearing", + "B0008": "Executable Code Virtualization", + "B0001.027": "Debugger Detection::TIB Aware", + "F0001.007": "Software Packing::Custom Compression of Data", + "B0001.004": "Debugger Detection::Debugger Artifacts", + "B0009.031": "Virtual Machine Detection::Instruction Testing - SGDT/SLDT (no pill)", + "B0036.002": "Capture Evasion::Encrypted Payloads", + "B0001.028": "Debugger Detection::Timing/Delay Check", + "F0001.004": "Software Packing::Standard Compression of Data", + "B0001.005": "Debugger Detection::Hardware Breakpoints", + "F0001.003": "Software Packing::Standard Compression of Code", + "F0003.002": "Hooking::Inline Patching", + "B0002.007": "Debugger Evasion::Get Base Indirectly", + "B0009": "Virtual Machine Detection", + "B0005": "Emulator Evasion", + "B0003.002": "Dynamic Analysis Evasion::Data Flood", + "B0001.023": "Debugger Detection::SeDebugPrivilege", + "B0002.016": "Debugger Evasion::Obfuscate Library Use", + "B0007.006": "Sandbox Detection::Screen Resolution Testing", + "B0009.036": "Virtual Machine Detection::Instruction Testing - RDTSC", + "B0006.004": "Memory Dump Evasion::SizeOfImage", + "B0003.005": "Dynamic Analysis Evasion::Drop Code", + "B0006.008": "Memory Dump Evasion::Feed Misinformation", + "B0009.010": "Virtual Machine Detection::Guest Process Testing", + "B0002.020": "Debugger Evasion::Relocate API Code", + "B0006": "Memory Dump Evasion", + "B0001.016": "Debugger Detection::OutputDebugString", + "B0002.011": "Debugger Evasion::Inlining", + "B0009.012": "Virtual Machine Detection::Human User Check", + "B0002.012": "Debugger Evasion::Loop Escapes", + "F0001.013": "Software Packing::ASPack", + "B0009.013": "Virtual Machine Detection::Modern Specs Check", + "F0001.008": "Software Packing::UPX", + "B0001.029": "Debugger Detection::TLS Callbacks", + "F0001.012": "Software Packing::Armadillo", + "B0001.014": "Debugger Detection::NtSetInformationThread", + "B0001.025": "Debugger Detection::Software Breakpoints", + "B0003.009": "Dynamic Analysis Evasion::Illusion", + "B0008.001": "Executable Code Virtualization::Multiple VMs", + "B0001.011": "Debugger Detection::Monitoring Thread", + "B0002.022": "Debugger Evasion::RtlAdjustPrivilege", + "F0003.004": "Hooking::System Service Dispatch Table Hooking", + "B0001.013": "Debugger Detection::NtQueryObject", + "B0009.018": "Virtual Machine Detection::Modern Specs Check - Processor count", + "F0003.003": "Hooking::Procedure Hooking", + "B0001": "Debugger Detection", + "B0002.015": "Debugger Evasion::Nanomites", + "B0002.024": "Debugger Evasion::Self-Debugging", + "B0004.002": "Emulator Detection::Check for WINE Version", + "B0001.015": "Debugger Detection::NtYieldExecution/SwitchToThread", + "B0009.005": "Virtual Machine Detection::Check Registry Keys", + "B0001.006": "Debugger Detection::Interrupt 0x2d", + "B0009.011": "Virtual Machine Detection::HTML5 Performance Object Check", + "B0001.018": "Debugger Detection::Parent Process", + "B0009.008": "Virtual Machine Detection::Check Virtual Devices", + "B0009.022": "Virtual Machine Detection::Check Windows - Title bars", + "B0009.023": "Virtual Machine Detection::Unique Hardware/Firmware Check", + "B0004.001": "Emulator Detection::Check for Emulator-related Files", + "B0001.036": "Debugger Detection::Process Environment Block NtGlobalFlag", + "B0009.026": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Name", + "B0007.002": "Sandbox Detection::Check Files", + "F0001.006": "Software Packing::Custom Compression of Code", + "B0003.007": "Dynamic Analysis Evasion::Hook File System", + "B0009.032": "Virtual Machine Detection::Instruction Testing - SMSW", + "B0006.010": "Memory Dump Evasion::Hook memory mapping APIs", + "B0009.007": "Virtual Machine Detection::Check Software", + "B0001.026": "Debugger Detection::Stack Canary", + "B0009.020": "Virtual Machine Detection::Check Windows - Window size", + "B0007.003": "Sandbox Detection::Human User Check", + "B0006.011": "Memory Dump Evasion::Patch MmGetPhysicalMemoryRanges", + "B0006.005": "Memory Dump Evasion::Tampering", + "B0001.034": "Debugger Detection::Anti-debugging Instructions", + "B0007.008": "Sandbox Detection::Timing/Date Check", + "B0001.030": "Debugger Detection::UnhandledExceptionFilter", + "B0002.026": "Debugger Evasion::Static Linking", + "B0001.002": "Debugger Detection::CheckRemoteDebuggerPresent", + "B0025": "Conditional Execution", + "B0002.004": "Debugger Evasion::Change SizeOfImage", + "B0009.017": "Virtual Machine Detection::Modern Specs Check - Printer", + "B0002.006": "Debugger Evasion::Exception Misdirection", + "B0009.021": "Virtual Machine Detection::Check Windows - Unique windows", + "B0003.008": "Dynamic Analysis Evasion::Hook Interrupt", + "F0001.001": "Software Packing::Nested Packing", + "B0001.007": "Debugger Detection::Interrupt 1", + "B0001.032": "Debugger Detection::Timing/Delay Check GetTickCount", + "B0001.031": "Debugger Detection::WudfIsAnyDebuggerPresent", + "B0009.038": "Virtual Machine Detection::Instruction Testing - VPCEXT", + "B0002": "Debugger Evasion", + "B0025.003": "Conditional Execution::GetVolumeInformation", + "B0009.024": "Virtual Machine Detection::Unique Hardware/Firmware Check - BIOS", + "B0003.006": "Dynamic Analysis Evasion::Encode File", + "B0006.007": "Memory Dump Evasion::On-the-Fly APIs", + "B0009.019": "Virtual Machine Detection::Modern Specs Check - Keyboard layout", + "B0009.033": "Virtual Machine Detection::Instruction Testing - STR", + "F0003": "Hooking", + "B0009.001": "Virtual Machine Detection::Check File and Directory Artifacts", + "B0025.002": "Conditional Execution::Environmental Keys", + "B0002.014": "Debugger Evasion::Modify PE Header", + "B0003.001": "Dynamic Analysis Evasion::Alternative ntdll.dll", + "B0002.003": "Debugger Evasion::Byte Stealing", + "B0009.035": "Virtual Machine Detection::Instruction Testing - IN", + "B0025.008": "Conditional Execution::Deposited Keys", + "B0009.030": "Virtual Machine Detection::Instruction Testing - SIDT (red pill)", + "B0001.021": "Debugger Detection::ProcessHeap", + "B0007.007": "Sandbox Detection::Self Check", + "B0002.027": "Debugger Evasion::Stolen API Code", + "B0004.003": "Emulator Detection::Check Emulator-related Registry Keys", + "B0009.029": "Virtual Machine Detection::Instruction Testing", + "B0002.017": "Debugger Evasion::Parallel Threads", + "B0005.002": "Emulator Evasion::Undocumented Opcodes", + "F0001.005": "Software Packing::Custom Compression", + "B0002.021": "Debugger Evasion::Return Obfuscation", + "B0009.027": "Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Location", + "B0006.003": "Memory Dump Evasion::Hide virtual memory", + "B0001.009": "Debugger Detection::Memory Breakpoints", + "B0001.010": "Debugger Detection::Memory Write Watching", + "B0036.003": "Capture Evasion::Multiple Stages of Loaders", + "B0003.004": "Dynamic Analysis Evasion::Demo Mode", + "B0004.004": "Emulator Detection::Failed Network Connections", + "B0001.008": "Debugger Detection::IsDebuggerPresent", + "B0025.001": "Conditional Execution::Suicide Exit", + "B0025.005": "Conditional Execution::Secure Triggers", + "B0025.006": "Conditional Execution::Token Check", + "B0025.007": "Conditional Execution::Runs as Service", + "B0001.033": "Debugger Detection::Timing/Delay Check QueryPerformanceCounter", + "F0001.009": "Software Packing::Confuser", + "B0002.019": "Debugger Evasion::Pre-Debug", + "F0001": "Software Packing", + "B0001.020": "Debugger Detection::Process Jobs" + }, + "Anti-Static Analysis": { + "B0032.004": "Executable Code Obfuscation::Fake Code Insertion", + "B0032.009": "Executable Code Obfuscation::Entry Point Obfuscation", + "B0032.014": "Executable Code Obfuscation::Interleaving Code", + "F0001.010": "Software Packing::VMProtect", + "B0032.001": "Executable Code Obfuscation::API Hashing", + "B0032.017": "Executable Code Obfuscation::Stack Strings", + "B0032.006": "Executable Code Obfuscation::Thunk Code Insertion", + "B0032.002": "Executable Code Obfuscation::Code Insertion", + "B0034.002": "Executable Code Optimization::Minification", + "F0001.011": "Software Packing::Themida", + "B0032.010": "Executable Code Obfuscation::Guard Pages", + "B0032.013": "Executable Code Obfuscation::Instruction Overlap", + "B0032.015": "Executable Code Obfuscation::Merged Code Sections", + "F0001.002": "Software Packing::Standard Compression", + "B0032.003": "Executable Code Obfuscation::Dead Code Insertion", + "B0008": "Executable Code Virtualization", + "F0001.007": "Software Packing::Custom Compression of Data", + "B0012": "Disassembler Evasion", + "B0010.002": "Call Graph Generation Evasion::Invoke NTDLL System Calls via Encoded Table", + "B0012.002": "Disassembler Evasion::Conditional Misdirection", + "F0001.004": "Software Packing::Standard Compression of Data", + "F0001.003": "Software Packing::Standard Compression of Code", + "B0032.007": "Executable Code Obfuscation::Junk Code Insertion", + "B0032.008": "Executable Code Obfuscation::Data Value Obfuscation", + "B0012.003": "Disassembler Evasion::Value Dependent Jumps", + "B0012.005": "Disassembler Evasion::VBA Stomping", + "B0012.001": "Disassembler Evasion::Argument Obfuscation", + "E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm", + "F0001.013": "Software Packing::ASPack", + "E1027.m04": "Obfuscated Files or Information::Encryption", + "F0001.008": "Software Packing::UPX", + "F0001.012": "Software Packing::Armadillo", + "B0008.001": "Executable Code Virtualization::Multiple VMs", + "B0032": "Executable Code Obfuscation", + "E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm", + "E1027.m01": "Obfuscated Files or Information::Encoding", + "B0032.012": "Executable Code Obfuscation::Import Compression", + "F0001.006": "Software Packing::Custom Compression of Code", + "B0045.002": "Data Flow Analysis Evasion::Implicit Flows", + "E1027": "Obfuscated Files or Information", + "B0032.016": "Executable Code Obfuscation::Structured Exception Handling (SEH)", + "B0032.005": "Executable Code Obfuscation::Jump Insertion", + "E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm", + "B0010.001": "Call Graph Generation Evasion::Two-layer Function Return", + "F0001.001": "Software Packing::Nested Packing", + "B0045.001": "Data Flow Analysis Evasion::Control Dependence", + "B0034": "Executable Code Optimization", + "B0010": "Call Graph Generation Evasion", + "B0032.011": "Executable Code Obfuscation::Import Address Table Obfuscation", + "B0034.001": "Executable Code Optimization::Jump/Call Absolute Address", + "B0045.003": "Data Flow Analysis Evasion::Arbitrary Memory Corruption", + "B0012.004": "Disassembler Evasion::Variable Recomposition", + "E1027.m06": "Obfuscated Files or Information::Encryption of Code", + "F0001.005": "Software Packing::Custom Compression", + "B0032.018": "Executable Code Obfuscation::Symbol Obfuscation", + "E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm", + "E1027.m07": "Obfuscated Files or Information::Encryption of Data", + "B0045": "Data Flow Analysis Evasion", + "F0001.009": "Software Packing::Confuser", + "F0001": "Software Packing" + }, + "Collection": { + "E1056": "Input Capture", + "F0003.006": "Hooking::Export Address Table (EAT) Hooking", + "F0003.001": "Hooking::Import Address Table (IAT) Hooking", + "F0003.005": "Hooking::Shadow SDT Hooking", + "F0002.001": "Keylogging::Application Hook", + "E1056.m01": "Input Capture::Mouse Events", + "B0028.002": "Cryptocurrency::Ethereum", + "F0003.002": "Hooking::Inline Patching", + "F0002": "Keylogging", + "B0028": "Cryptocurrency", + "F0003.004": "Hooking::System Service Dispatch Table Hooking", + "F0003.003": "Hooking::Procedure Hooking", + "F0002.002": "Keylogging::Polling", + "F0003": "Hooking", + "E1113.m01": "Screen Capture::WinAPI", + "E1113": "Screen Capture", + "B0028.001": "Cryptocurrency::Bitcoin", + "B0028.003": "Cryptocurrency::Zcash" + }, + "Command and Control": { + "B0030.001": "C2 Communication::Send Data", + "B0030.010": "C2 Communication::Request Email Address List", + "B0030": "C2 Communication", + "B0030.015": "C2 Communication::File search", + "B0030.005": "C2 Communication::Check for Payload", + "B0030.008": "C2 Communication::Request Command", + "B0031": "Domain Name Generation", + "B0030.002": "C2 Communication::Receive Data", + "B0030.013": "C2 Communication::Execute File", + "B0030.007": "C2 Communication::Send Heartbeat", + "E1105": "Remote File Copy", + "B0030.009": "C2 Communication::Request Email Template", + "B0030.011": "C2 Communication::Authenticate", + "B0030.012": "C2 Communication::Directory Listing", + "B0030.003": "C2 Communication::Server to Client File Transfer", + "B0030.004": "C2 Communication::Implant to Controller File Transfer", + "B0030.014": "C2 Communication::Execute Shell Command", + "B0030.006": "C2 Communication::Send System Information", + "B0030.016": "C2 Communication::Start Interactive Shell" + }, + "Credential Access": { + "E1056": "Input Capture", + "F0003.006": "Hooking::Export Address Table (EAT) Hooking", + "F0003.001": "Hooking::Import Address Table (IAT) Hooking", + "F0003.005": "Hooking::Shadow SDT Hooking", + "F0002.001": "Keylogging::Application Hook", + "E1056.m01": "Input Capture::Mouse Events", + "B0028.002": "Cryptocurrency::Ethereum", + "F0003.002": "Hooking::Inline Patching", + "F0002": "Keylogging", + "B0028": "Cryptocurrency", + "F0003.004": "Hooking::System Service Dispatch Table Hooking", + "F0003.003": "Hooking::Procedure Hooking", + "F0002.002": "Keylogging::Polling", + "F0003": "Hooking", + "E1113.m01": "Screen Capture::WinAPI", + "E1113": "Screen Capture", + "B0028.001": "Cryptocurrency::Bitcoin", + "B0028.003": "Cryptocurrency::Zcash" + }, + "Defense Evasion": { + "F0009.001": "Component Firmware::Router Firmware", + "F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking", + "F0004.007": "Disable or Evade Security Tools::Bypass Windows File Protection", + "F0001.010": "Software Packing::VMProtect", + "F0005.002": "Hidden Files and Directories::Location", + "E1055.m05": "Process Injection::Injection via Windows Fibers", + "B0025.004": "Conditional Execution::Host Fingerprint Check", + "F0015.003": "Hijack Execution Flow::Import Address Table (IAT) Hooking", + "F0003.006": "Hooking::Export Address Table (EAT) Hooking", + "F0003.001": "Hooking::Import Address Table (IAT) Hooking", + "F0004.008": "Disable or Evade Security Tools::Heavens Gate", + "B0040.001": "Covert Location::Hide Data in Registry", + "F0005": "Hidden Files and Directories", + "F0003.005": "Hooking::Shadow SDT Hooking", + "E1055": "Process Injection", + "F0015.001": "Hijack Execution Flow::Export Address Table (EAT) Hooking", + "E1055.m04": "Process Injection::Patch Process Command Line", + "B0029.001": "Polymorphic Code::Packer Stub", + "F0001.011": "Software Packing::Themida", + "F0007.001": "Self Deletion::COMSPEC Environment Variable", + "F0001.002": "Software Packing::Standard Compression", + "F0013": "Bootkit", + "F0004.004": "Disable or Evade Security Tools::AMSI Bypass", + "F0001.007": "Software Packing::Custom Compression of Data", + "B0029.002": "Polymorphic Code::Call Indirections", + "E1014.m17": "Rootkit::Memory Rootkit", + "F0001.004": "Software Packing::Standard Compression of Data", + "F0001.003": "Software Packing::Standard Compression of Code", + "F0003.002": "Hooking::Inline Patching", + "E1478": "Install Insecure or Malicious Configuration", + "E1014.m16": "Rootkit::Kernel Mode Rootkit", + "B0040.002": "Covert Location::Steganography", + "F0009": "Component Firmware", + "F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking", + "E1564.m04": "Hidden Artifacts::Hidden Services", + "B0027.002": "Alternative Installation Location::Registry Install", + "B0037": "Bypass Data Execution Prevention", + "B0029.003": "Polymorphic Code::Code Reordering", + "E1027.m08": "Obfuscated Files or Information::Encryption-Custom Algorithm", + "F0007": "Self Deletion", + "B0027": "Alternative Installation Location", + "F0001.013": "Software Packing::ASPack", + "E1564.m03": "Hidden Artifacts::Hidden Processes", + "F0015.002": "Hijack Execution Flow::Inline Patching", + "E1027.m04": "Obfuscated Files or Information::Encryption", + "E1564.m05": "Hidden Artifacts::Hidden Kernel Modules", + "E1014.m12": "Rootkit::Application Rootkit", + "F0001.008": "Software Packing::UPX", + "F0001.012": "Software Packing::Armadillo", + "E1027.m03": "Obfuscated Files or Information::Encoding-Custom Algorithm", + "F0003.004": "Hooking::System Service Dispatch Table Hooking", + "F0003.003": "Hooking::Procedure Hooking", + "F0004.002": "Disable or Evade Security Tools::Disable System File Overwrite Protection", + "F0005.004": "Hidden Files and Directories::Timestamp", + "F0005.001": "Hidden Files and Directories::Extension", + "E1027.m01": "Obfuscated Files or Information::Encoding", + "E1014.m14": "Rootkit::Hardware/Firmware Rootkit", + "F0001.006": "Software Packing::Custom Compression of Code", + "E1055.m02": "Process Injection::Injection and Persistence via Registry Modification", + "F0004.001": "Disable or Evade Security Tools::Disable Kernel Patch Protection", + "B0027.001": "Alternative Installation Location::Fileless Malware", + "F0004.006": "Disable or Evade Security Tools::Force Lazy Writing", + "E1055.m03": "Process Injection::Injection using Shims", + "E1027": "Obfuscated Files or Information", + "B0025": "Conditional Execution", + "F0015": "Hijack Execution Flow", + "F0004.009": "Disable or Evade Security Tools::Disable Code Integrity", + "B0037.001": "Bypass Data Execution Prevention::ROP Chains", + "E1027.m05": "Obfuscated Files or Information::Encryption-Standard Algorithm", + "F0001.001": "Software Packing::Nested Packing", + "E1014.m13": "Rootkit::Bootloader", + "E1014": "Rootkit", + "F0004.005": "Disable or Evade Security Tools::Modify Policy", + "B0025.003": "Conditional Execution::GetVolumeInformation", + "E1014.m15": "Rootkit::Hypervisor/Virtualized Rootkit", + "E1112": "Modify Registry", + "F0003": "Hooking", + "B0025.002": "Conditional Execution::Environmental Keys", + "F0004.003": "Disable or Evade Security Tools::Unhook APIs", + "F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls", + "F0005.003": "Hidden Files and Directories::Attribute", + "B0025.008": "Conditional Execution::Deposited Keys", + "E1027.m06": "Obfuscated Files or Information::Encryption of Code", + "F0006": "Indicator Blocking", + "F0001.005": "Software Packing::Custom Compression", + "E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx", + "B0040": "Covert Location", + "E1027.m02": "Obfuscated Files or Information::Encoding-Standard Algorithm", + "F0006.001": "Indicator Blocking::Remove SMS Warning Messages", + "E1564.m02": "Hidden Artifacts::Direct Kernel Object Manipulation", + "B0029": "Polymorphic Code", + "E1564": "Hidden Artifacts", + "E1564.m01": "Hidden Artifacts::Hidden Userspace Libraries", + "F0004": "Disable or Evade Security Tools", + "E1027.m07": "Obfuscated Files or Information::Encryption of Data", + "B0025.001": "Conditional Execution::Suicide Exit", + "B0025.005": "Conditional Execution::Secure Triggers", + "B0025.006": "Conditional Execution::Token Check", + "B0025.007": "Conditional Execution::Runs as Service", + "F0001.009": "Software Packing::Confuser", + "F0001": "Software Packing" + }, + "Discovery": { + "E1010": "Application Window Discovery", + "B0046": "Code Discovery", + "B0046.001": "Code Discovery::Enumerate PE Sections", + "B0043": "Taskbar Discovery", + "B0013.007": "Analysis Tool Discovery::Process detection - Sandboxes", + "B0013.001": "Analysis Tool Discovery::Process detection", + "B0046.003": "Code Discovery::Parse PE Header", + "B0013.009": "Analysis Tool Discovery::Known Window", + "B0013.003": "Analysis Tool Discovery::Process detection - SysInternals Suite Tools", + "B0013.006": "Analysis Tool Discovery::Process detection - PE Utilities", + "B0013.005": "Analysis Tool Discovery::Process detection - Process Utilities", + "B0013": "Analysis Tool Discovery", + "E1083.m01": "File and Directory Discovery::Log File", + "B0046.002": "Code Discovery::Inspect Section Memory Permissions", + "B0013.002": "Analysis Tool Discovery::Process detection - Debuggers", + "B0013.004": "Analysis Tool Discovery::Process detection - PCAP Utilities", + "B0014": "SMTP Connection Discovery", + "E1010.m01": "Application Window Discovery::Window Text", + "E1082": "System Information Discovery", + "E1083": "File and Directory Discovery", + "B0013.008": "Analysis Tool Discovery::Known File Location", + "B0038": "Self Discovery", + "E1082.m01": "System Information Discovery::Generate Windows Exception" + }, + "Execution": { + "E1203.m05": "Exploitation for Client Execution::Sysinternals", + "E1203.m06": "Exploitation for Client Execution::Windows Utilities", + "B0025.004": "Conditional Execution::Host Fingerprint Check", + "B0020": "Send Email", + "B0011.001": "Remote Commands::Delete File", + "B0011.007": "Remote Commands::Upload File", + "E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols (RDP)", + "B0011.005": "Remote Commands::Sleep", + "B0021": "Send Poisoned Text Message", + "E1203.m02": "Exploitation for Client Execution::Java-based Web Servers", + "B0024": "Prevent Concurrent Execution", + "B0011.006": "Remote Commands::Uninstall", + "B0011.003": "Remote Commands::Execute", + "E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers", + "B0011.004": "Remote Commands::Shutdown", + "B0011": "Remote Commands", + "E1203": "Exploitation for Client Execution", + "E1569.m01": "System Services::MSDTC", + "E1204": "User Interaction", + "E1059": "Command and Scripting Interpreter", + "B0025": "Conditional Execution", + "B0044": "Execution Dependency", + "B0011.002": "Remote Commands::Download File", + "B0025.003": "Conditional Execution::GetVolumeInformation", + "B0023": "Install Additional Program", + "E1569": "System Services", + "B0025.002": "Conditional Execution::Environmental Keys", + "B0025.008": "Conditional Execution::Deposited Keys", + "E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products", + "B0025.001": "Conditional Execution::Suicide Exit", + "B0025.005": "Conditional Execution::Secure Triggers", + "B0025.006": "Conditional Execution::Token Check", + "B0025.007": "Conditional Execution::Runs as Service" + }, + "Exfiltration": { + "E1560": "Archive Collected Data", + "E1560.m04": "Archive Collected Data::Encoding - Custom Encoding", + "E1020": "Automated Exfiltration", + "E1560.m06": "Archive Collected Data::Encryption - Custom Encryption", + "E1560.m05": "Archive Collected Data::Encryption - Standard Encryption", + "E1020.m01": "Automated Exfiltration::Exfiltrate via File Hosting Service", + "E1560.m03": "Archive Collected Data::Encoding - Standard Encoding", + "E1560.m02": "Archive Collected Data::Encryption", + "E1560.m01": "Archive Collected Data::Encoding" + }, + "Impact": { + "F0009.001": "Component Firmware::Router Firmware", + "B0017": "Destroy Hardware", + "E1203.m05": "Exploitation for Client Execution::Sysinternals", + "E1203.m06": "Exploitation for Client Execution::Windows Utilities", + "E1190": "Exploit Kit Behavior", + "E1485": "Data Destruction", + "E1486": "Data Encrypted for Impact", + "E1203.m01": "Exploitation for Client Execution::Remote Desktop Protocols (RDP)", + "B0019": "Manipulate Network Traffic", + "E1203.m02": "Exploitation for Client Execution::Java-based Web Servers", + "E1485.m03": "Data Destruction::Delete Application/Software", + "F0009": "Component Firmware", + "E1203.m03": "Exploitation for Client Execution::File Transfer Protocol (FTP) Servers", + "E1472.m02": "Generate Fraudulent Advertising Revenue::Advertisement Replacement Fraud", + "F0014": "Disk Wipe", + "E1485.m04": "Data Destruction::Delete Shadow Copies", + "E1203": "Exploitation for Client Execution", + "B0039": "Spamming", + "B0042": "Modify Hardware", + "B0018.002": "Resource Hijacking::Cryptojacking", + "B0042.003": "Modify Hardware::Printer", + "B0022.001": "Remote Access::Reverse Shell", + "E1486.001": "Data Encrypted for Impact::Ransom Note", + "B0018.001": "Resource Hijacking::Password Cracking", + "E1485.m02": "Data Destruction::Empty Recycle Bin", + "B0033": "Denial of Service", + "B0016": "Compromise Data Integrity", + "E1472.m01": "Generate Fraudulent Advertising Revenue::Click Hijacking", + "B0022": "Remote Access", + "B0042.001": "Modify Hardware::CDROM", + "B0042.002": "Modify Hardware::Mouse", + "E1510": "Clipboard Modification", + "E1203.m04": "Exploitation for Client Execution::Red Hat JBoss Enterprise Products", + "B0018": "Resource Hijacking", + "E1472": "Generate Fraudulent Advertising Revenue" + }, + "Lateral Movement": { + "E1195.m02": "Supply Chain Compromise::Exploit Private APIs", + "B0020": "Send Email", + "E1195": "Supply Chain Compromise", + "B0026": "Malicious Network Driver", + "B0021": "Send Poisoned Text Message", + "E1105": "Remote File Copy", + "E1195.m01": "Supply Chain Compromise::Abuse Enterprise Certificates" + }, + "Communication": { + "C0005.002": "WinINet::InternetOpen", + "C0012.002": "SMTP Communication::Request", + "C0011.005": "DNS Communication::Resolve Free Hosting Domain", + "C0003.004": "Interprocess Communication::Write Pipe", + "C0002.012": "HTTP Communication::Create Request", + "C0002.013": "HTTP Communication::Set Header", + "C0002.001": "HTTP Communication::Server", + "C0002.002": "HTTP Communication::Client", + "C0014.001": "ICMP Communication::Generate Traffic", + "C0001.017": "Socket Communication::Receive UDP Data", + "C0002.015": "HTTP Communication::Receive Request", + "C0011": "DNS Communication", + "C0002.008": "HTTP Communication::WinHTTP", + "C0002.018": "HTTP Communication::Start Server", + "C0002.011": "HTTP Communication::Extract Body", + "C0012.001": "SMTP Communication::Server Connect", + "C0001.008": "Socket Communication::TCP Client", + "C0002.004": "HTTP Communication::Open URL", + "C0002.006": "HTTP Communication::Download URL", + "C0012": "SMTP Communication", + "C0011.002": "DNS Communication::Server Connect", + "C0001.014": "Socket Communication::Send TCP Data", + "C0002.009": "HTTP Communication::Connect to Server", + "C0005.004": "WinINet::InternetReadFile", + "C0002.003": "HTTP Communication::Send Request", + "C0002.005": "HTTP Communication::Send Data", + "C0004": "FTP Communication", + "C0001.012": "Socket Communication::Get Socket Status", + "C0002.017": "HTTP Communication::Get Response", + "C0001.011": "Socket Communication::Create TCP Socket", + "C0001": "Socket Communication", + "C0005": "WinINet", + "C0002.014": "HTTP Communication::Read Header", + "C0001.003": "Socket Communication::Create Socket", + "C0014.002": "ICMP Communication::Echo Request", + "C0002.016": "HTTP Communication::Send Response", + "C0001.005": "Socket Communication::Start TCP Server", + "C0005.001": "WinINet::InternetConnect", + "C0001.007": "Socket Communication::Send Data", + "C0001.009": "Socket Communication::Initialize Winsock Library", + "C0001.013": "Socket Communication::UDP Client", + "C0001.010": "Socket Communication::Create UDP Socket", + "C0001.015": "Socket Communication::Send UDP Data", + "C0002.007": "HTTP Communication::WinINet", + "C0005.003": "WinINet::InternetOpenURL", + "C0004.001": "FTP Communication::Send File", + "C0003.002": "Interprocess Communication::Connect Pipe", + "C0001.002": "Socket Communication::TCP Server", + "C0001.016": "Socket Communication::Receive TCP Data", + "C0001.006": "Socket Communication::Receive Data", + "C0001.004": "Socket Communication::Connect Socket", + "C0003.003": "Interprocess Communication::Read Pipe", + "C0002": "HTTP Communication", + "C0014": "ICMP Communication", + "C0011.001": "DNS Communication::Resolve", + "C0003": "Interprocess Communication", + "C0002.010": "HTTP Communication::IWebBrowser", + "C0011.004": "DNS Communication::Resolve TLD", + "C0001.001": "Socket Communication::Set Socket Config", + "C0005.005": "WinINet::InternetWriteFile", + "C0011.003": "DNS Communication::DDNS Domain Connect", + "C0003.001": "Interprocess Communication::Create Pipe", + "C0004.002": "FTP Communication::WinINet" + }, + "Cryptography": { + "C0061": "Hashed Message Authentication Code", + "C0027.002": "Encrypt Data::Blowfish", + "C0027.014": "Encrypt Data::Block Cipher", + "C0031.006": "Decrypt Data::HC-128", + "C0031": "Decrypt Data", + "C0029": "Cryptographic Hash", + "C0027.010": "Encrypt Data::RC6", + "C0027.001": "Encrypt Data::AES", + "C0021": "Generate Pseudo-random Sequence", + "C0027": "Encrypt Data", + "C0031.008": "Decrypt Data::RC4", + "C0021.001": "Generate Pseudo-random Sequence::GetTickCount", + "C0031.001": "Decrypt Data::AES", + "C0028.001": "Encryption Key::Import Public Key", + "C0027.003": "Encrypt Data::Camellia", + "C0029.002": "Cryptographic Hash::SHA1", + "C0028.002": "Encryption Key::RC4 KSA", + "C0027.006": "Encrypt Data::HC-128", + "C0031.002": "Decrypt Data::Block Cipher", + "C0027.008": "Encrypt Data::Sosemanuk", + "C0028": "Encryption Key", + "C0029.004": "Cryptographic Hash::SHA224", + "C0031.013": "Decrypt Data::Stream Cipher", + "C0031.011": "Decrypt Data::Skipjack", + "C0021.004": "Generate Pseudo-random Sequence::RC4 PRGA", + "C0029.001": "Cryptographic Hash::MD5", + "C0029.003": "Cryptographic Hash::SHA256", + "C0031.014": "Decrypt Data::Twofish", + "C0029.006": "Cryptographic Hash::Snefru", + "C0031.003": "Decrypt Data::Blowfish", + "C0027.011": "Encrypt Data::RSA", + "C0031.005": "Decrypt Data::3DES", + "C0031.004": "Decrypt Data::Camellia", + "C0027.012": "Encrypt Data::Stream Cipher", + "C0027.007": "Encrypt Data::HC-256", + "C0027.004": "Encrypt Data::3DES", + "C0021.005": "Generate Pseudo-random Sequence::Mersenne Twister", + "C0059": "Crypto Library", + "C0029.005": "Cryptographic Hash::Tiger", + "C0031.010": "Decrypt Data::RSA", + "C0031.012": "Decrypt Data::Sosemanuk", + "C0021.003": "Generate Pseudo-random Sequence::Use API", + "C0027.013": "Encrypt Data::Skipjack", + "C0031.007": "Decrypt Data::HC-256", + "C0027.005": "Encrypt Data::Twofish", + "C0021.002": "Generate Pseudo-random Sequence::rand", + "C0027.009": "Encrypt Data::RC4", + "C0031.009": "Decrypt Data::RC6" + }, + "Data": { + "C0030.005": "Non-Cryptographic Hash::FNV", + "C0026.001": "Encode Data::Base64", + "C0053.002": "Decode Data::XOR", + "C0020": "Use Constant", + "C0030.003": "Non-Cryptographic Hash::Fast-Hash", + "C0024.002": "Compress Data::IEncodingFilterFactory", + "C0025.002": "Decompress Data::IEncodingFilterFactory", + "C0032.004": "Checksum::Verhoeff", + "C0032.005": "Checksum::Adler", + "C0025.003": "Decompress Data::aPLib", + "C0025.001": "Decompress Data::QuickLZ", + "C0060": "Compression Library", + "C0032": "Checksum", + "C0024.001": "Compress Data::QuickLZ", + "C0026.002": "Encode Data::XOR", + "C0030": "Non-Cryptographic Hash", + "C0032.001": "Checksum::CRC32", + "C0053": "Decode Data", + "C0053.001": "Decode Data::Base64", + "C0019": "Check String", + "C0030.004": "Non-Cryptographic Hash::dhash", + "C0026": "Encode Data", + "C0032.003": "Checksum::BSD", + "C0030.002": "Non-Cryptographic Hash::pHash", + "C0030.001": "Non-Cryptographic Hash::MurmurHash", + "C0032.002": "Checksum::Luhn", + "C0058": "Modulo", + "C0024": "Compress Data", + "C0025": "Decompress Data" + }, + "File System": { + "C0016.001": "Create File::Create Office Document", + "C0052": "Writes File", + "C0049": "Get File Attributes", + "C0046": "Create Directory", + "C0015": "Alter File Extension", + "C0063": "Move File", + "C0050": "Set File Attributes", + "C0016": "Create File", + "C0056": "Read Virtual Disk", + "C0051": "Read File", + "C0015.001": "Alter File Extension::Append Extension", + "C0045": "Copy File", + "C0016.002": "Create File::Create Ransomware File", + "C0047": "Delete File", + "C0048": "Delete Directory" + }, + "Hardware": { + "C0057": "Simulate Hardware", + "C0057.001": "Simulate Hardware::Ctrl-Alt-Del", + "C0037.001": "Install Driver::Minifilter", + "C0023": "Load Driver", + "C0023.001": "Load Driver::Minifilter", + "C0037": "Install Driver", + "C0057.002": "Simulate Hardware::Mouse Click" + }, + "Memory": { + "C0010": "Overflow Buffer", + "C0008": "Change Memory Protection", + "C0006": "Heap Spray", + "C0007": "Allocate Memory", + "C0008.002": "Change Memory Protection::Executable Heap", + "C0008.001": "Change Memory Protection::Executable Stack", + "C0009": "Stack Pivot", + "C0044": "Free Memory" + }, + "Operating System": { + "C0036.006": "Registry::Query Registry Value", + "C0035": "Wallpaper", + "C0034.001": "Environment Variable::Set Variable", + "C0036.002": "Registry::Delete Registry Key", + "C0036.001": "Registry::Set Registry Key", + "C0036.007": "Registry::Delete Registry Value", + "C0036.003": "Registry::Open Registry Key", + "C0036.005": "Registry::Query Registry Key", + "C0033": "Console", + "C0034.002": "Environment Variable::Get Variable", + "C0034": "Environment Variable", + "C0036": "Registry", + "C0036.004": "Registry::Create Registry Key" + }, + "Process": { + "C0018": "Terminate Process", + "C0055": "Suspend Thread", + "C0017": "Create Process", + "C0064": "Enumerate Threads", + "C0017.002": "Create Process::Create Process via WMI", + "C0017.001": "Create Process::Create Process via Shellcode", + "C0038": "Create Thread", + "C0039": "Terminate Thread", + "C0043": "Check Mutex", + "C0066": "Open Thread", + "C0041": "Set Thread Local Storage Value", + "C0022.001": "Synchronization::Create Mutex", + "C0065": "Open Process", + "C0017.003": "Create Process::Create Suspended Process", + "C0042": "Create Mutex", + "C0022": "Synchronization", + "C0054": "Resume Thread", + "C0040": "Allocate Thread Local Storage" + }, + "Persistence": { + "F0009.001": "Component Firmware::Router Firmware", + "F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking", + "F0005.002": "Hidden Files and Directories::Location", + "F0015.003": "Hijack Execution Flow::Import Address Table (IAT) Hooking", + "F0003.006": "Hooking::Export Address Table (EAT) Hooking", + "F0003.001": "Hooking::Import Address Table (IAT) Hooking", + "F0005": "Hidden Files and Directories", + "F0003.005": "Hooking::Shadow SDT Hooking", + "F0015.001": "Hijack Execution Flow::Export Address Table (EAT) Hooking", + "F0012": "Registry Run Keys / Startup Folder", + "B0026": "Malicious Network Driver", + "F0013": "Bootkit", + "F0003.002": "Hooking::Inline Patching", + "F0011": "Modify Existing Service", + "E1478": "Install Insecure or Malicious Configuration", + "F0009": "Component Firmware", + "F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking", + "E1564.m04": "Hidden Artifacts::Hidden Services", + "E1564.m03": "Hidden Artifacts::Hidden Processes", + "F0015.002": "Hijack Execution Flow::Inline Patching", + "E1564.m05": "Hidden Artifacts::Hidden Kernel Modules", + "E1105": "Remote File Copy", + "F0003.004": "Hooking::System Service Dispatch Table Hooking", + "F0003.003": "Hooking::Procedure Hooking", + "B0022.001": "Remote Access::Reverse Shell", + "F0005.004": "Hidden Files and Directories::Timestamp", + "F0005.001": "Hidden Files and Directories::Extension", + "B0035": "Shutdown Event", + "F0010.001": "Kernel Modules and Extensions::Device Driver", + "F0015": "Hijack Execution Flow", + "B0022": "Remote Access", + "E1112": "Modify Registry", + "F0010": "Kernel Modules and Extensions", + "F0003": "Hooking", + "F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls", + "F0005.003": "Hidden Files and Directories::Attribute", + "E1564.m02": "Hidden Artifacts::Direct Kernel Object Manipulation", + "E1564": "Hidden Artifacts", + "E1564.m01": "Hidden Artifacts::Hidden Userspace Libraries" + }, + "Privilege Escalation": { + "F0015.004": "Hijack Execution Flow::Shadow System Service Dispatch Table Hooking", + "E1055.m05": "Process Injection::Injection via Windows Fibers", + "F0015.003": "Hijack Execution Flow::Import Address Table (IAT) Hooking", + "F0003.006": "Hooking::Export Address Table (EAT) Hooking", + "F0003.001": "Hooking::Import Address Table (IAT) Hooking", + "F0003.005": "Hooking::Shadow SDT Hooking", + "E1055": "Process Injection", + "F0015.001": "Hijack Execution Flow::Export Address Table (EAT) Hooking", + "E1055.m04": "Process Injection::Patch Process Command Line", + "F0003.002": "Hooking::Inline Patching", + "F0011": "Modify Existing Service", + "F0015.005": "Hijack Execution Flow::System Service Dispatch Table Hooking", + "F0015.002": "Hijack Execution Flow::Inline Patching", + "F0003.004": "Hooking::System Service Dispatch Table Hooking", + "F0003.003": "Hooking::Procedure Hooking", + "E1055.m02": "Process Injection::Injection and Persistence via Registry Modification", + "E1055.m03": "Process Injection::Injection using Shims", + "F0010.001": "Kernel Modules and Extensions::Device Driver", + "F0015": "Hijack Execution Flow", + "F0010": "Kernel Modules and Extensions", + "F0003": "Hooking", + "F0015.006": "Hijack Execution Flow::Abuse Windows Function Calls", + "E1055.m01": "Process Injection::Hook Injection via SetWindowsHooksEx" + } } } \ No newline at end of file