Last active
November 12, 2019 17:14
-
-
Save Cyb3rWard0g/d33782712b09dea3813b6fae1504179f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {'aliases': ['APT41'], | |
| 'type': 'intrusion-set', | |
| 'name': 'APT41', | |
| 'description': '[APT41](https://attack.mitre.org/groups/G0096) is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. [APT41](https://attack.mitre.org/groups/G0096) has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.(Citation: FireEye APT41 Aug 2019)', | |
| 'external_references': [{'external_id': 'G0096', | |
| 'source_name': 'mitre-attack', | |
| 'url': 'https://attack.mitre.org/groups/G0096'}, | |
| {'description': '(Citation: FireEye APT41 2019)', 'source_name': 'APT41'}, | |
| {'description': 'Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.', | |
| 'source_name': 'FireEye APT41 Aug 2019', | |
| 'url': 'https://content.fireeye.com/apt-41/rpt-apt41'}], | |
| 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', | |
| 'created': '2019-09-23T13:43:36.945Z', | |
| 'id': 'intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7', | |
| 'modified': '2019-10-14T21:52:59.301Z', | |
| 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], | |
| 'x_mitre_version': '1.0', | |
| 'technique_ref': 'attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f', | |
| 'relationship_description': ' [APT41](https://attack.mitre.org/groups/G0096) used the <code>net share</code> command as part of network reconnaissance.', | |
| 'relationship_id': 'relationship--4f6e677d-427b-4342-b35c-57f4f3ad4ff8', | |
| 'technique': 'Network Share Discovery', | |
| 'technique_description': 'Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\n### Windows\n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder)\n\n[Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>.\n\nAdversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.\n\n### Mac\n\nOn Mac, locally mounted shares can be viewed with the <code>df -aH</code> command.\n\n### Cloud\n\nCloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)', | |
| 'tactic': ['discovery'], | |
| 'technique_id': 'T1135', | |
| 'matrix': 'mitre-attack', | |
| 'platform': ['macOS', 'Windows', 'AWS', 'GCP', 'Azure'], | |
| 'data_sources': ['Process monitoring', | |
| 'Process command-line parameters', | |
| 'Network protocol analysis', | |
| 'Process use of network'], | |
| 'permissions_required': ['User']} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment