Created
April 21, 2024 23:24
-
-
Save aamedina/f0f25ab46ebb775d19a217b787d6c210 to your computer and use it in GitHub Desktop.
Enterprise ATT&CK 14.1 in RDF (WIP)
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@prefix : <https://github.com/mitre-attack/attack-stix-data/raw/master/enterprise-attack/enterprise-attack-14.1.json#> . | |
@prefix d3f: <http://d3fend.mitre.org/ontologies/d3fend.owl#> . | |
@prefix dcterms: <http://purl.org/dc/terms/> . | |
@prefix owl: <http://www.w3.org/2002/07/owl#> . | |
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . | |
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> . | |
@prefix skos: <http://www.w3.org/2004/02/skos/core#> . | |
@prefix stix: <http://docs.oasis-open.org/cti/ns/stix#> . | |
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> . | |
:relationship--ae5e7681-f93e-4b5f-80f9-8235a9015e7f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4283ae19-69c7-4347-a35e-b56f08eb660b; | |
stix:target_ref :attack-pattern--deb98323-e13f-4b0c-8d94-175379069062; | |
dcterms:created "2021-03-26T13:32:03.358Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used multi-stage packers for exploit code.(Citation: Check Point APT31 February 2021)"; | |
dcterms:modified "2021-03-26T13:32:03.358Z"^^xsd:dateTime . | |
:relationship--adc6b431-0722-4287-8f37-e09ddb5b25fe | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2019-09-24T12:31:43.557Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) collected MAC addresses from victim machines.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) "; | |
dcterms:modified "2023-03-23T15:45:58.867Z"^^xsd:dateTime . | |
:relationship--8a2be44e-6a93-479f-ade9-7d49a1eb692a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--2a70812b-f1ef-44db-8578-a496a227aef2; | |
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a; | |
dcterms:created "2021-01-11T19:07:12.147Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[NETWIRE](https://attack.mitre.org/software/S0198) has the ability to compress archived screenshots.(Citation: Red Canary NETWIRE January 2020)"; | |
dcterms:modified "2021-01-11T19:07:12.147Z"^^xsd:dateTime . | |
:relationship--6c0aae73-fe06-4aa3-8216-568d78747c6d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--fb261c56-b80e-43a9-8351-c84081e7213d; | |
stix:target_ref :attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Newer variants of [BACKSPACE](https://attack.mitre.org/software/S0031) will encode C2 communications with a custom system.(Citation: FireEye APT30)"; | |
dcterms:modified "2020-03-20T22:30:03.938Z"^^xsd:dateTime . | |
:relationship--b71e10b8-e566-470b-8a5c-b634ddfd3965 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--16040b1c-ed28-4850-9d8f-bb8b81c42092; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2021-11-30T16:13:37.396Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ThreatNeedle](https://attack.mitre.org/software/S0665) can decrypt its payload using RC4, AES, or one-byte XORing.(Citation: Kaspersky ThreatNeedle Feb 2021)"; | |
dcterms:modified "2022-04-13T13:37:30.318Z"^^xsd:dateTime . | |
:relationship--8a03f60e-bb09-4f4d-815e-88d86192042f | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--df74f7ad-b10d-431c-9f1d-a2bc18dadefa; | |
stix:target_ref :attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470; | |
dcterms:created "2023-07-12T18:57:23.334Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to identify email addresses.(Citation: Crowdstrike TELCO BPO Campaign December 2022)"; | |
dcterms:modified "2023-07-12T18:57:23.334Z"^^xsd:dateTime . | |
:relationship--86a7ffc8-6107-4854-96a7-d39f8bb4069f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--56aa3c82-ed40-4b5a-84bf-7231356d9e96; | |
stix:target_ref :attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735; | |
dcterms:created "2022-03-24T11:46:08.667Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DRATzarus](https://attack.mitre.org/software/S0694) can search for other machines connected to compromised host and attempt to map the network.(Citation: ClearSky Lazarus Aug 2020)"; | |
dcterms:modified "2022-04-17T18:38:15.780Z"^^xsd:dateTime . | |
:relationship--b8d33b58-e0d0-4bf8-a8ec-f6c4c2f1a480 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f; | |
stix:target_ref :attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b; | |
dcterms:created "2020-01-17T16:49:36.593Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. "; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a9f79f14-d160-4be5-8bbe-ad0b52770b9f | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317; | |
stix:target_ref :attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47; | |
dcterms:created "2019-07-18T15:36:27.535Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) opportunities can limit the exposure to this technique."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--2b97e16e-8c39-4e5e-ad90-15c10f15d923 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb; | |
stix:target_ref :attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[USBStealer](https://attack.mitre.org/software/S0136) exfiltrates collected files via removable media from air-gapped victims.(Citation: ESET Sednit USBStealer 2014)"; | |
dcterms:modified "2020-03-11T17:45:54.143Z"^^xsd:dateTime . | |
:relationship--b49fa23f-285c-4a8d-81c6-995747e4a84b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--92d5b3fd-3b39-438e-af68-770e447beada; | |
stix:target_ref :malware--e48df773-7c95-4a4c-ba70-ea3d15900148; | |
dcterms:created "2020-07-04T22:20:47.110Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: ClearSky Charming Kitten Dec 2017)"; | |
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--238e1f61-36d8-41a9-b480-bb35cb30d21d | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--79dd477a-8226-4b3d-ad15-28623675f221; | |
stix:target_ref :attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51; | |
dcterms:created "2022-04-16T22:12:54.124Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Peirates](https://attack.mitre.org/software/S0683) can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts.(Citation: Peirates GitHub)"; | |
dcterms:modified "2022-04-16T22:15:23.599Z"^^xsd:dateTime . | |
:relationship--16632684-1ef3-41bb-9ef1-97c6c3294448 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cad3ba95-8c89-4146-ab10-08daa813f9de; | |
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670; | |
dcterms:created "2021-05-10T23:54:36.034Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Clop](https://attack.mitre.org/software/S0611) has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)"; | |
dcterms:modified "2021-05-11T16:29:08.588Z"^^xsd:dateTime . | |
:relationship--81682d49-acb2-4439-a7da-1a28126cea94 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a; | |
stix:target_ref :attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample encodes data with base64.(Citation: McAfee Lazarus Resurfaces Feb 2018)"; | |
dcterms:modified "2020-12-11T17:47:22.639Z"^^xsd:dateTime . | |
:relationship--03cb8f9a-7ad7-4aa8-966f-bf768023eb89 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c46eb8e6-bf29-4696-8008-3ddb0b4ca470; | |
stix:target_ref :attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852; | |
dcterms:created "2022-12-20T21:22:44.875Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DEADEYE](https://attack.mitre.org/software/S1052) can ensure it executes only on intended systems by identifying the victim's volume serial number, hostname, and/or DNS domain.(Citation: Mandiant APT41)"; | |
dcterms:modified "2023-01-26T15:13:58.340Z"^^xsd:dateTime . | |
:relationship--42968b37-a9f4-4bd8-b2af-36a04bd2803d | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96; | |
stix:target_ref :attack-pattern--d21a2069-23d5-4043-ad6d-64f6b644cb1a; | |
dcterms:created "2019-06-14T17:07:30.311Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:malware--a020a61c-423f-4195-8c46-ba1d21abba37 | |
rdf:type stix:Malware; | |
rdfs:label "Ryuk"; | |
dcterms:created "2020-05-13T20:14:53.171Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)"; | |
dcterms:modified "2023-08-09T18:11:35.634Z"^^xsd:dateTime . | |
:relationship--16f64842-8ba8-4827-a47f-e7d665f942ae | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--6b62e336-176f-417b-856a-8552dd8c44e1; | |
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077; | |
dcterms:created "2019-01-29T19:55:48.080Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Epic](https://attack.mitre.org/software/S0091) uses the <code>net time</code> command to get the system time from the machine and collect the current date and time zone information.(Citation: Kaspersky Turla)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--79958036-a8bf-4808-af4f-f9f7a9cb6e7c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d; | |
dcterms:created "2019-09-23T22:53:30.129Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) performed password brute-force attacks on the local admin account.(Citation: FireEye APT41 Aug 2019)"; | |
dcterms:modified "2023-03-23T15:27:10.530Z"^^xsd:dateTime . | |
:relationship--f705286a-3372-4343-b74f-cab6ff672774 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31; | |
stix:target_ref :attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665; | |
dcterms:created "2023-03-08T20:11:59.732Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Remove unnecessary tools and software from containers."; | |
dcterms:modified "2023-03-08T20:11:59.732Z"^^xsd:dateTime . | |
:relationship--4859e904-e404-4bae-a106-d347c9cc2e18 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--599cd7b5-37b5-4cdd-8174-2811531ce9d0; | |
stix:target_ref :attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58; | |
dcterms:created "2021-09-21T15:10:56.095Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SpicyOmelette](https://attack.mitre.org/software/S0646) can enumerate running software on a targeted system.(Citation: Secureworks GOLD KINGSWOOD September 2018)"; | |
dcterms:modified "2021-09-21T15:10:56.095Z"^^xsd:dateTime . | |
:relationship--e61e5dc3-b6ac-4909-b188-eaede02385df | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--1d1fce2f-0db5-402b-9843-4278a0694637; | |
stix:target_ref :attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18; | |
dcterms:created "2020-03-30T20:44:34.666Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GravityRAT](https://attack.mitre.org/software/S0237) has used HTTP over a non-standard port, such as TCP port 46769.(Citation: Talos GravityRAT)"; | |
dcterms:modified "2020-03-30T20:44:34.666Z"^^xsd:dateTime . | |
:relationship--08f2da07-4e03-46bd-a3d9-c79ef7dd9a45 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--df74f7ad-b10d-431c-9f1d-a2bc18dadefa; | |
stix:target_ref :attack-pattern--830c9528-df21-472c-8c14-a036bf17d665; | |
dcterms:created "2023-07-12T20:35:24.120Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) downloaded tools from sites including file.io, GitHub, and paste.ee.(Citation: Crowdstrike TELCO BPO Campaign December 2022)"; | |
dcterms:modified "2023-07-12T20:35:24.120Z"^^xsd:dateTime . | |
:relationship--e84df21f-b55f-4b5d-ae7b-0f8fcc4eed95 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2022-03-30T14:26:51.864Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. (Citation: TechNet Autoruns)\n\nDetection of the modification of the registry key <code>Common Startup</code> located in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\ and HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.\n\n<h4>Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’</h4>\n<code>logon_reg_processes = filter processes where (command_line CONTAINS(\"*reg*\") AND command_line CONTAINS(\"*add*\") AND command_line CONTAINS(\"*/d*\") OR (command_line CONTAINS(\"*Set-ItemProperty*\") AND command_line CONTAINS(\"*-value*\")) AND command_line CONTAINS(\"*Common Startup*\"))\nreg_keys = search Registry:value_edit\nlogon_reg_keys = filter reg_keys where value=\"Common Startup\"</code>"; | |
dcterms:modified "2023-09-15T17:16:19.133Z"^^xsd:dateTime . | |
:relationship--60269020-6ab2-496a-9649-3b1cd707aced | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--be25c1c0-1590-4219-a3d5-6f31799d1d1b; | |
stix:target_ref :attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c; | |
dcterms:created "2022-10-13T15:28:44.218Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FunnyDream](https://attack.mitre.org/software/S1044) has used a service named `WSearch` for execution.(Citation: Bitdefender FunnyDream Campaign November 2020)"; | |
dcterms:modified "2022-10-13T16:10:56.771Z"^^xsd:dateTime . | |
:relationship--8c418cb5-2cff-45f9-ad5d-b8b65cde713c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c9ccc4df-1f56-49e7-ad57-b383e1451688; | |
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41; | |
dcterms:created "2021-03-01T14:07:36.882Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LookBack](https://attack.mitre.org/software/S0582) uses a modified version of RC4 for data transfer.(Citation: Proofpoint LookBack Malware Aug 2019)"; | |
dcterms:modified "2021-03-02T18:15:56.541Z"^^xsd:dateTime . | |
:malware--b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f | |
rdf:type stix:Malware; | |
rdfs:label "Carbon"; | |
dcterms:created "2019-01-29T19:36:02.103Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Carbon](https://attack.mitre.org/software/S0335) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://attack.mitre.org/software/S0335) has been selectively used by [Turla](https://attack.mitre.org/groups/G0010) to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--10c609ce-f256-436c-8288-3441cb123fc5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7bef1b56-4870-4e74-b32a-7dd88c390c44; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2020-07-01T20:27:58.395Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bundlore](https://attack.mitre.org/software/S0482) has disguised a malicious .app file as a Flash Player update.(Citation: MacKeeper Bundlore Apr 2019)"; | |
dcterms:modified "2020-07-01T21:30:17.251Z"^^xsd:dateTime . | |
:relationship--c4cd9acb-aaea-4b77-890e-f153a58623a4 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3; | |
stix:target_ref :attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a; | |
dcterms:created "2019-07-18T15:05:36.677Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: <code>reagentc /enable</code>.(Citation: reagentc_cmd)"; | |
dcterms:modified "2023-02-20T18:48:15.794Z"^^xsd:dateTime . | |
:relationship--73bcd300-467e-4473-9ba7-772ae1c58610 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258; | |
stix:target_ref :malware--63c4511b-2d6e-4bb2-b582-e2e99a8a467d; | |
dcterms:created "2021-01-14T20:19:39.292Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Microsoft GALLIUM December 2019)"; | |
dcterms:modified "2021-01-14T20:19:39.292Z"^^xsd:dateTime . | |
:relationship--ed821f5e-9527-4fbb-ae76-37a79592dfb6 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9; | |
stix:target_ref :attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b; | |
dcterms:created "2020-03-02T18:49:28.109Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Anti-virus can automatically quarantine suspicious files."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:malware--199463de-d9be-46d6-bb41-07234c1dd5a6 | |
rdf:type stix:Malware; | |
rdfs:label "GeminiDuke"; | |
dcterms:created "2017-05-31T21:32:36.177Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GeminiDuke](https://attack.mitre.org/software/S0049) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2009 to 2012. (Citation: F-Secure The Dukes)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--04d60222-e8da-4de5-bc58-dcfae65986f5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--edb24a93-1f7a-4bbf-a738-1397a14662c6; | |
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077; | |
dcterms:created "2019-04-17T13:46:38.848Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Astaroth](https://attack.mitre.org/software/S0373) collects the timestamp from the infected machine. (Citation: Cofense Astaroth Sept 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--c65d4006-003c-4aff-a8c7-bd5834678b58 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bfc5ddb3-4dfb-4278-8928-020e1b3feddd; | |
stix:target_ref :attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b; | |
dcterms:created "2023-04-03T17:31:01.013Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Metador](https://attack.mitre.org/groups/G1013) has used TCP for C2.(Citation: SentinelLabs Metador Sept 2022)"; | |
dcterms:modified "2023-04-03T17:31:01.013Z"^^xsd:dateTime . | |
:relationship--85fda77f-5129-4de7-bc44-f81ccc46f6d9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3bc7e862-5610-4c02-9c48-15b2e2dc1ddb; | |
stix:target_ref :attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688; | |
dcterms:created "2023-02-14T18:36:46.095Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Woody RAT](https://attack.mitre.org/software/S1065) has the ability to take a screenshot of the infected host desktop using Windows GDI+.(Citation: MalwareBytes WoodyRAT Aug 2022) "; | |
dcterms:modified "2023-02-23T22:34:17.920Z"^^xsd:dateTime . | |
:relationship--25407fd4-3940-4446-9c17-6eebe902dbdf | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96; | |
stix:target_ref :attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a; | |
dcterms:created "2019-10-08T19:55:33.752Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Administrators can block end-user consent to OAuth applications, disabling users from authorizing third-party apps through OAuth 2.0 and forcing administrative consent for all requests. They can also block end-user registration of applications by their users, to reduce risk. A Cloud Access Security Broker can also be used to ban applications.\n\nAzure offers a couple of enterprise policy settings in the Azure Management Portal that may help:\n\n\"Users -> User settings -> App registrations: Users can register applications\" can be set to \"no\" to prevent users from registering new applications. \n\"Enterprise applications -> User settings -> Enterprise applications: Users can consent to apps accessing company data on their behalf\" can be set to \"no\" to prevent users from consenting to allow third-party multi-tenant applications"; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3de1cc89-ee9a-4476-9d93-a034da6a90bf | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3c18ad16-9eaf-4649-984e-68551bff0d47; | |
stix:target_ref :attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9; | |
dcterms:created "2022-08-26T22:08:14.801Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Squirrelwaffle](https://attack.mitre.org/software/S1030) has relied on victims to click on a malicious link send via phishing campaigns.(Citation: ZScaler Squirrelwaffle Sep 2021)"; | |
dcterms:modified "2022-08-26T22:08:14.801Z"^^xsd:dateTime . | |
:relationship--e6c6afdc-a52f-405c-8480-a4b2d2d797bf | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d3105fb5-c494-4fd1-a7be-414eab9e0c96; | |
stix:target_ref :attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7; | |
dcterms:created "2020-11-10T20:55:27.393Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Melcoz](https://attack.mitre.org/software/S0530) has been spread through malicious links embedded in e-mails.(Citation: Securelist Brazilian Banking Malware July 2020)"; | |
dcterms:modified "2020-11-10T20:55:27.393Z"^^xsd:dateTime . | |
:relationship--3d1ba730-3f10-499c-ada3-47d975d5b7e0 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2021-01-05T17:45:48.946Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) obtained information about the configured Exchange virtual directory using <code>Get-WebServicesVirtualDirectory</code>.(Citation: Volexity SolarWinds)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--973e4318-a08c-491c-afa3-d110f9d87758 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb; | |
stix:target_ref :attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6; | |
dcterms:created "2019-06-28T16:02:08.208Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LightNeuron](https://attack.mitre.org/software/S0395) is capable of modifying email content, headers, and attachments during transit.(Citation: ESET LightNeuron May 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--81763def-b0ec-4938-832d-cffb382bb4a8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--088f1d6e-0783-47c6-9923-9c79b2af43d4; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2020-12-14T17:34:58.764Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Stuxnet](https://attack.mitre.org/software/S0603) uses HTTP to communicate with a command and control server. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)"; | |
dcterms:modified "2023-03-17T18:04:50.942Z"^^xsd:dateTime . | |
:malware--ec9e00dd-0313-4d5b-8105-c20aa47abffc | |
rdf:type stix:Malware; | |
rdfs:label "ShadowPad"; | |
dcterms:created "2021-03-23T20:49:39.954Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://attack.mitre.org/groups/G0096), but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017) "; | |
dcterms:modified "2023-03-26T20:09:03.093Z"^^xsd:dateTime . | |
:attack-pattern--2e114e45-2c50-404c-804a-3af9564d240e | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Disk Structure Wipe"; | |
dcterms:created "2019-03-19T19:38:27.097Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) if all sectors of a disk are wiped.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--2303e878-ce48-459d-a5da-256142e2bfd8 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6; | |
stix:target_ref :attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff; | |
dcterms:created "2022-03-30T14:26:51.871Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for attempts by programs to inject into or dump browser process memory."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3a30af61-b9b4-488e-aebc-dee4dfce52b6 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc; | |
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055; | |
dcterms:created "2021-09-22T13:52:51.063Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FIN7](https://attack.mitre.org/groups/G0046) has used WMI to install malware on targeted systems.(Citation: eSentire FIN7 July 2021)"; | |
dcterms:modified "2021-09-22T13:52:51.063Z"^^xsd:dateTime . | |
:relationship--29f12e79-a73e-4660-aefd-40dee902fefa | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3551476e-14f5-4e48-a518-e82135329e03; | |
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4; | |
dcterms:created "2022-03-30T14:26:51.853Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for unusual kernel driver installation activity "; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3100a612-59cf-4fb0-b5f0-d0e09198a487 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa; | |
stix:target_ref :attack-pattern--bb5e59c4-abe7-40c7-8196-e373cb1e5974; | |
dcterms:created "2023-09-08T20:26:43.965Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events."; | |
dcterms:modified "2023-09-08T20:58:53.173Z"^^xsd:dateTime . | |
:relationship--79c46f52-743a-4a17-bede-aa003c03f6b1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40; | |
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384; | |
dcterms:created "2020-06-10T19:31:48.084Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[build_downer](https://attack.mitre.org/software/S0471) has the ability to detect if the infected host is running an anti-virus process.(Citation: Trend Micro Tick November 2019)"; | |
dcterms:modified "2020-06-24T01:27:32.405Z"^^xsd:dateTime . | |
:relationship--2e03c99d-473d-406e-b903-1fc9c9a6a5ec | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--03acae53-9b98-46f6-b204-16b930839055; | |
stix:target_ref :attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336; | |
dcterms:created "2021-11-29T16:31:50.618Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RCSession](https://attack.mitre.org/software/S0662) has the ability to execute inside the msiexec.exe process.(Citation: Profero APT27 December 2020)"; | |
dcterms:modified "2023-03-26T20:05:38.078Z"^^xsd:dateTime . | |
:relationship--f3d30d20-ee51-4976-8611-5667df771567 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c; | |
stix:target_ref :attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc; | |
dcterms:created "2020-03-19T23:03:33.778Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ke3chang](https://attack.mitre.org/groups/G0004) has dumped credentials, including by using gsecdump.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)"; | |
dcterms:modified "2021-11-01T21:12:15.488Z"^^xsd:dateTime . | |
:relationship--91bd508e-7f5a-4514-b886-95d97f8eefff | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--65ffc206-d7c1-45b3-b543-f6b726e7840d; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2022-04-13T19:05:51.100Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bisonal](https://attack.mitre.org/software/S0268) has relied on users to execute malicious file attachments delivered via spearphishing emails.(Citation: Talos Bisonal Mar 2020) "; | |
dcterms:modified "2022-04-18T18:10:36.843Z"^^xsd:dateTime . | |
:relationship--f957f429-c0d1-4b02-aef8-1d8500421225 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a4f57468-fbd5-49e4-8476-52088220b92d; | |
stix:target_ref :attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9; | |
dcterms:created "2020-12-09T21:53:58.664Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Zebrocy](https://attack.mitre.org/software/S0251) has a command to create a scheduled task for persistence.(Citation: CISA Zebrocy Oct 2020)"; | |
dcterms:modified "2020-12-09T21:53:58.664Z"^^xsd:dateTime . | |
:relationship--952edf61-e906-4ab5-989f-1d6a5dd95dce | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d; | |
stix:target_ref :attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9; | |
dcterms:created "2020-03-17T14:52:21.694Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OilRig](https://attack.mitre.org/groups/G0049) has delivered malicious links to achieve execution on the target system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)"; | |
dcterms:modified "2020-03-17T14:52:21.694Z"^^xsd:dateTime . | |
:relationship--20c01d16-fdd8-4f6b-ba0c-d81b70329440 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb; | |
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830; | |
dcterms:created "2020-03-09T14:07:54.891Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--6a0f3ebb-c805-402f-bb2e-aac2f8d174fa | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--08d20cd2-f084-45ee-8558-fa6ef5a18519; | |
stix:target_ref :attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Downdelph](https://attack.mitre.org/software/S0134) bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database.(Citation: ESET Sednit Part 3)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--4f1793cb-51f9-47d0-a2a7-374a57f56b82 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f; | |
stix:target_ref :attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3; | |
dcterms:created "2022-09-30T19:00:48.584Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "For [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors established domains as part of their operational infrastructure.(Citation: Cylance Dust Storm)"; | |
dcterms:modified "2022-09-30T19:00:48.584Z"^^xsd:dateTime . | |
:relationship--2e80a049-220e-4d47-98f7-c0dbfe245cdc | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ae9d818d-95d0-41da-b045-9cabea1ca164; | |
stix:target_ref :attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PinchDuke](https://attack.mitre.org/software/S0048) steals credentials from compromised hosts. [PinchDuke](https://attack.mitre.org/software/S0048)'s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by [PinchDuke](https://attack.mitre.org/software/S0048) include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).(Citation: F-Secure The Dukes)"; | |
dcterms:modified "2020-03-19T23:56:41.619Z"^^xsd:dateTime . | |
:relationship--a5848e5c-0a64-44f2-9432-4d503baea628 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3161d76a-e2b2-4b97-9906-24909b735386; | |
stix:target_ref :attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d; | |
dcterms:created "2020-05-27T13:35:36.629Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to duplicate a token from ntprint.exe.(Citation: CheckPoint Naikon May 2020)"; | |
dcterms:modified "2020-06-03T20:11:27.728Z"^^xsd:dateTime . | |
:relationship--c5cf4822-a0bf-442a-9943-1937ac45520b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "To establish persistence, [SslMM](https://attack.mitre.org/software/S0058) identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.(Citation: Baumgartner Naikon 2015)"; | |
dcterms:modified "2020-03-18T15:53:57.648Z"^^xsd:dateTime . | |
:relationship--ff5d1433-de7a-4aba-95c4-5d92782589f9 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90; | |
stix:target_ref :malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8; | |
dcterms:created "2020-06-11T16:19:17.925Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Trend Micro Tick November 2019)"; | |
dcterms:modified "2020-06-24T01:27:32.664Z"^^xsd:dateTime . | |
:relationship--8119ee71-e017-4ba0-9aeb-a14c46f64f1a | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050; | |
stix:target_ref :malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b; | |
dcterms:created "2017-05-31T21:33:27.054Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Baumgartner Naikon 2015)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--2c79282f-5e60-48b9-962a-d61c3d73b334 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d; | |
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OilRig](https://attack.mitre.org/groups/G0049) has used the command-line interface for execution."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--04558d61-aa04-46b5-a65f-921011ac9621 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "An [APT19](https://attack.mitre.org/groups/G0073) HTTP malware variant establishes persistence by setting the Registry key <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Debug Tools-%LOCALAPPDATA%\\</code>.(Citation: Unit 42 C0d0so0 Jan 2016)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--8ebf7956-a41c-4f3c-b586-a38a107518d6 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b; | |
stix:target_ref :attack-pattern--c9e0c59e-162e-40a4-b8b1-78fab4329ada; | |
dcterms:created "2023-09-20T15:11:06.448Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)"; | |
dcterms:modified "2023-09-28T22:18:25.164Z"^^xsd:dateTime . | |
:attack-pattern--f8ef3a62-3f44-40a4-abca-761ab235c436 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Container API"; | |
dcterms:created "2021-03-31T14:01:52.321Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)\n\nAn adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. "; | |
dcterms:modified "2023-10-31T14:00:00.188Z"^^xsd:dateTime . | |
:malware--4efc3e00-72f2-466a-ab7c-8a7dc6603b19 | |
rdf:type stix:Malware; | |
rdfs:label "Raindrop"; | |
dcterms:created "2021-01-19T19:43:27.828Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)"; | |
dcterms:modified "2023-03-27T19:53:24.461Z"^^xsd:dateTime . | |
:relationship--e80f97df-4984-4e62-bba6-1333d4c2c977 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2020-05-05T18:47:47.317Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.(Citation: QiAnXin APT-C-36 Feb2019)"; | |
dcterms:modified "2020-10-14T14:40:36.366Z"^^xsd:dateTime . | |
:relationship--ad6cad0b-d827-4182-baf9-826c6788cf4e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--174279b4-399f-4ddb-966e-5efedd1dd5f2; | |
stix:target_ref :tool--b77b563c-34bb-4fb8-86a3-3694338f7b47; | |
dcterms:created "2023-07-31T19:35:50.201Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Microsoft Volt Typhoon May 2023)"; | |
dcterms:modified "2023-07-31T19:35:50.201Z"^^xsd:dateTime . | |
:relationship--58d0e93e-15d3-476f-9fb9-4c953b072f53 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69; | |
dcterms:created "2022-03-30T14:26:51.851Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Local Data Staging"; | |
dcterms:created "2020-03-13T21:13:10.467Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nAdversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--4d4c8221-17a9-4e5b-86f9-6a0cffc42424 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[S-Type](https://attack.mitre.org/software/S0085) uses HTTP for C2.(Citation: Cylance Dust Storm)"; | |
dcterms:modified "2022-01-19T21:00:45.681Z"^^xsd:dateTime . | |
:relationship--ef934eda-a3ad-40fb-8923-fc2f72fb8f6e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2; | |
stix:target_ref :attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0; | |
dcterms:created "2020-06-24T19:58:56.888Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Metamorfo](https://attack.mitre.org/software/S0455) has hidden its GUI using the ShowWindow() WINAPI call.(Citation: Medium Metamorfo Apr 2020) "; | |
dcterms:modified "2020-06-24T19:58:56.888Z"^^xsd:dateTime . | |
:relationship--bcedecdf-e98d-4cf7-84a4-d4769a10858d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--64122557-5940-4271-9123-25bfc0c693db; | |
stix:target_ref :attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7; | |
dcterms:created "2020-11-10T19:27:14.615Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Javali](https://attack.mitre.org/software/S0528) can read C2 information from Google Documents and YouTube.(Citation: Securelist Brazilian Banking Malware July 2020)"; | |
dcterms:modified "2020-11-10T19:27:14.615Z"^^xsd:dateTime . | |
:relationship--5e23c694-3f4a-43f7-823b-8ea36558c928 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0; | |
stix:target_ref :attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b; | |
dcterms:created "2020-03-17T02:25:11.600Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "The [Regin](https://attack.mitre.org/software/S0019) malware platform supports many standard protocols, including SMB.(Citation: Kaspersky Regin)"; | |
dcterms:modified "2023-10-01T02:49:27.909Z"^^xsd:dateTime . | |
:relationship--7a1a5bda-170c-44fd-8094-7f78b7f803c9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--6b62e336-176f-417b-856a-8552dd8c44e1; | |
stix:target_ref :attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298; | |
dcterms:created "2019-05-07T17:47:25.127Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Epic](https://attack.mitre.org/software/S0091) has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.(Citation: ESET Recon Snake Nest)"; | |
dcterms:modified "2020-03-18T19:55:30.854Z"^^xsd:dateTime . | |
:relationship--452e340a-df31-4ae9-a801-d26c57d491ea | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7e0f8b0f-716e-494d-827e-310bd6ed709e; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2021-09-22T21:57:30.206Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used Powershell to download UltraVNC and [ngrok](https://attack.mitre.org/software/S0508) from third-party file sharing sites.(Citation: FireEye SMOKEDHAM June 2021)"; | |
dcterms:modified "2023-10-31T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--151da49e-c3ee-4615-b62e-c8a3c93a32a6 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--bdee9574-7479-4073-a7dc-e86d8acd073a; | |
stix:target_ref :attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b; | |
dcterms:created "2022-06-09T14:47:59.956Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MacMa](https://attack.mitre.org/software/S1016) has used a custom JSON-based protocol for its C&C communications.(Citation: ESET DazzleSpy Jan 2022)"; | |
dcterms:modified "2022-06-09T14:47:59.956Z"^^xsd:dateTime . | |
:course-of-action--5c49bc54-9929-48ca-b581-7018219b5a97 | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Account Discovery Mitigation"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located <code>HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators</code>. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)"; | |
dcterms:modified "2021-08-23T20:25:18.116Z"^^xsd:dateTime . | |
:relationship--178dda13-999c-481f-8a1b-8dc062d7b0ff | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2022-02-01T15:37:38.932Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[WIRTE](https://attack.mitre.org/groups/G0090) has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.(Citation: Kaspersky WIRTE November 2021)"; | |
dcterms:modified "2022-02-01T15:37:38.932Z"^^xsd:dateTime . | |
:relationship--99cfee83-7db8-44c1-8fd8-75bc1c67d17c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2; | |
stix:target_ref :attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475; | |
dcterms:created "2021-03-19T13:38:12.533Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used a PowerShell backdoor to check for Skype connections on the target machine.(Citation: Trend Micro Muddy Water March 2021)"; | |
dcterms:modified "2021-03-19T13:38:12.533Z"^^xsd:dateTime . | |
:relationship--3231ef46-26f9-4711-adfe-cfa68425f848 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1; | |
stix:target_ref :attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a; | |
dcterms:created "2022-01-06T20:23:01.566Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[KONNI](https://attack.mitre.org/software/S0356) has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Taskmgr.exe`.(Citation: Malwarebytes Konni Aug 2021) "; | |
dcterms:modified "2022-04-18T19:48:24.407Z"^^xsd:dateTime . | |
:relationship--91cea20a-9698-4bec-8fdd-c1eda3ea66e7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3be1fb7a-0f7e-415e-8e3a-74a80d596e68; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2023-04-04T21:50:08.665Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mafalda](https://attack.mitre.org/software/S1060) can collect the computer name and enumerate all drives on a compromised host.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)"; | |
dcterms:modified "2023-04-04T21:50:08.665Z"^^xsd:dateTime . | |
:relationship--b6fed470-c730-4bac-b347-25d27fae9b7c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542; | |
stix:target_ref :attack-pattern--438c967d-3996-4870-bfc2-3954752a1927; | |
dcterms:created "2022-07-11T20:34:55.627Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) removed evidence of email export requests using <code>Remove-MailboxExportRequest</code>.(Citation: Volexity SolarWinds)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--0390ebec-176f-421a-9823-cce48756aef1 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c; | |
stix:target_ref :attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b; | |
dcterms:created "2021-01-22T16:51:10.393Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has used side loading to place malicious DLLs in memory.(Citation: NCC Group Chimera January 2021)"; | |
dcterms:modified "2021-01-22T16:51:10.393Z"^^xsd:dateTime . | |
:relationship--2f081501-0c5c-4662-b7b4-3dc5a8a3b1af | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--fde19a18-e502-467f-be14-58c71b4e7f4b; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2021-12-27T19:19:42.895Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[WarzoneRAT](https://attack.mitre.org/software/S0670) can download and execute additional files.(Citation: Check Point Warzone Feb 2020)"; | |
dcterms:modified "2022-04-07T16:00:36.787Z"^^xsd:dateTime . | |
:relationship--f06c48f0-88de-4850-90dd-9ff4979dde95 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8; | |
stix:target_ref :attack-pattern--f4c1826f-a322-41cd-9557-562100848c84; | |
dcterms:created "2022-10-17T21:58:20.451Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.\n\nPeriodically review the hybrid identity solution in use for any discrepancies. For example, review all Pass Through Authentication (PTA) agents in the Azure Management Portal to identify any unwanted or unapproved ones.(Citation: Mandiant Azure AD Backdoors) If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.(Citation: MagicWeb)\n\nPeriodically review for new and unknown network provider DLLs within the Registry (`HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<NetworkProviderName>\\NetworkProvider\\ProviderPath`). Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`, and have corresponding service subkey pointing to a DLL at `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentC ontrolSet\\Services\\<NetworkProviderName>\\NetworkProvider`."; | |
dcterms:modified "2023-04-11T14:27:42.484Z"^^xsd:dateTime . | |
:attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Authentication Package"; | |
dcterms:created "2020-01-24T14:54:42.757Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)\n\nAdversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\</code> with the key value of <code>\"Authentication Packages\"=<target binary></code>. The binary will then be executed by the system when the authentication packages are loaded."; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--cf16ba1d-ea81-4301-a1a4-083e4a8927fe | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96; | |
stix:target_ref :attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b; | |
dcterms:created "2020-03-09T15:04:32.848Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--0d1ae008-8b7f-4b64-8b05-2df3ef55f323 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a; | |
stix:target_ref :attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b; | |
dcterms:created "2022-03-30T14:26:51.833Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--5e82824d-3548-4ffe-98fd-8e432a36847b | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--ec42d8be-f762-4127-80f4-f079ea6d7135; | |
stix:target_ref :attack-pattern--6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:course-of-action--3bd2cf87-1ceb-4317-9aee-3e7dc713261b | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Domain Generation Algorithms Mitigation"; | |
dcterms:created "2019-02-18T17:22:57.941Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "This technique may be difficult to mitigate since the domains can be registered just before they are used, and disposed shortly after. Malware researchers can reverse-engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)"; | |
dcterms:modified "2019-07-24T19:13:31.378Z"^^xsd:dateTime . | |
:relationship--b1371fd9-1bfd-40b2-90a2-4876d89029bf | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a8d3d497-2da9-4797-8e0b-ed176be08654; | |
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Wingbird](https://attack.mitre.org/software/S0176) checks for the presence of Bitdefender security software.(Citation: Microsoft SIR Vol 21)"; | |
dcterms:modified "2020-02-11T19:39:04.039Z"^^xsd:dateTime . | |
:relationship--3b02e08d-f6fe-4d7b-907d-e8c6534f9a98 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fd66436e-4d33-450e-ac4c-f7810f1c85f4; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2023-07-27T20:50:01.946Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FIN13](https://attack.mitre.org/groups/G1016) has used PowerShell commands to obtain DNS data from a compromised network.(Citation: Mandiant FIN13 Aug 2022)"; | |
dcterms:modified "2023-09-29T18:38:18.946Z"^^xsd:dateTime . | |
:relationship--7064e494-5a32-4a40-b0b1-b19b9a145e73 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b; | |
stix:target_ref :attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747; | |
dcterms:created "2023-04-10T15:38:02.911Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) conducted internal spearphishing from within a compromised organization.(Citation: ClearSky Lazarus Aug 2020)"; | |
dcterms:modified "2023-04-10T15:38:02.911Z"^^xsd:dateTime . | |
:relationship--fc8ef14d-1a07-4f96-85c3-b62ba6bcffc1 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3; | |
stix:target_ref :attack-pattern--f4c1826f-a322-41cd-9557-562100848c84; | |
dcterms:created "2020-03-16T14:49:02.714Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (`C:\\Windows\\System32\\` by default) of a domain controller and/or local computer with a corresponding entry in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages`. \n\nStarting in Windows 11 22H2, the `EnableMPRNotifications` policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.(Citation: EnableMPRNotifications)"; | |
dcterms:modified "2023-04-11T14:27:30.007Z"^^xsd:dateTime . | |
:relationship--60b36de9-e8ce-4aff-b5aa-5a8c2e7fe197 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542; | |
stix:target_ref :attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf; | |
dcterms:created "2022-02-07T16:31:15.990Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) has used RDP sessions from public-facing systems to internal servers.(Citation: CrowdStrike StellarParticle January 2022)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--4d4db495-6366-414f-aa58-1dbd97032412 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--6636bc83-0611-45a6-b74f-1f3daf635b8e; | |
stix:target_ref :attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0; | |
dcterms:created "2022-04-16T20:45:01.832Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description ""; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Dynamic Resolution"; | |
dcterms:created "2020-03-10T17:28:11.747Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--087c222c-4108-4fbf-ac8f-983cd71548fa | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--e44e0985-bc65-4a8f-b578-211c858128e3; | |
stix:target_ref :attack-pattern--31fe0ba2-62fd-4fd9-9293-4043d84f7fe9; | |
dcterms:created "2021-09-07T13:27:47.515Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Transparent Tribe](https://attack.mitre.org/groups/G0134) has set up websites with malicious hyperlinks and iframes to infect targeted victims with [Crimson](https://attack.mitre.org/software/S0115), [njRAT](https://attack.mitre.org/software/S0385), and other malicious tools.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Unit 42 ProjectM March 2016)(Citation: Talos Transparent Tribe May 2021)"; | |
dcterms:modified "2021-10-15T19:27:15.824Z"^^xsd:dateTime . | |
:relationship--da4059ab-c858-4df1-94e0-25db2d6ea136 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca; | |
stix:target_ref :attack-pattern--55bb4471-ff1f-43b4-88c1-c9384ec47abf; | |
dcterms:created "2023-03-13T21:10:40.799Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has leveraged AWS CLI to enumerate cloud environments with compromised credentials.(Citation: Talos TeamTNT)"; | |
dcterms:modified "2023-04-11T00:17:22.553Z"^^xsd:dateTime . | |
:relationship--3c662aa7-0ee8-4e42-b0b9-de0dc2f02a57 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--958b5d06-8bb0-4c5b-a2e7-0130fe654ac7; | |
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d; | |
dcterms:created "2020-11-13T21:52:00.732Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Grandoreiro](https://attack.mitre.org/software/S0531) can send data it retrieves to the C2 server.(Citation: ESET Grandoreiro April 2020)"; | |
dcterms:modified "2020-11-13T21:52:00.732Z"^^xsd:dateTime . | |
:relationship--bb01eb87-696e-496d-9fb9-5abe60b57b12 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--20a2baeb-98c2-4901-bad7-dc62d0a03dea; | |
stix:target_ref :attack-pattern--d2c4e5ea-dbdf-4113-805a-b1e2a337fb33; | |
dcterms:created "2022-07-29T19:33:39.802Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. "; | |
dcterms:modified "2022-07-29T19:33:39.802Z"^^xsd:dateTime . | |
:course-of-action--7aee8ea0-0baa-4232-b379-5d9ce98352cf | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Hooking Mitigation"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior."; | |
dcterms:modified "2019-07-24T19:37:27.850Z"^^xsd:dateTime . | |
:relationship--a4106a52-b3e7-4aa9-b2ca-125f206dbf91 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7; | |
stix:target_ref :malware--cb7bcf6f-085f-41db-81ee-4b68481661b5; | |
dcterms:created "2017-05-31T21:33:27.064Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Scarlet Mimic Jan 2016)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--2af126e3-89ef-45b4-b345-45567ef17dfa | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--00806466-754d-44ea-ad6f-0caf59cb8556; | |
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TrickBot](https://attack.mitre.org/software/S0266) uses the Windows API call, CreateProcessW(), to manage execution flow.(Citation: S2 Grupo TrickBot June 2017) [TrickBot](https://attack.mitre.org/software/S0266) has also used <code>Nt*</code> API functions to perform [Process Injection](https://attack.mitre.org/techniques/T1055).(Citation: Joe Sec Trickbot)"; | |
dcterms:modified "2021-10-01T14:12:53.053Z"^^xsd:dateTime . | |
:relationship--f783c5c8-0620-4fb0-9e8f-55df960cf41c | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--0dcbbf4f-929c-489a-b66b-9b820d3f7f0e; | |
stix:target_ref :attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421; | |
dcterms:created "2022-03-30T14:26:51.842Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for logged network traffic in response to a scan showing both protocol header and body values that may buy and/or steal SSL/TLS certificates that can be used during targeting. Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--6c303446-f8d1-424c-b1ac-8c10f82d33d7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616; | |
stix:target_ref :attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use process hollowing for execution.(Citation: Cobalt Strike TTPs Dec 2017)"; | |
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--22ba966c-e07e-4718-821c-4a57fe3705ad | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0; | |
dcterms:created "2022-03-30T14:26:51.835Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor executed commands and arguments for actions that could be taken to create/modify tasks. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--11f31998-c76f-4433-8e9c-c0ef0b7574d5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--32066e94-3112-48ca-b9eb-ba2b59d2f023; | |
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055; | |
dcterms:created "2019-06-10T18:55:43.635Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Emotet](https://attack.mitre.org/software/S0367) has used WMI to execute powershell.exe.(Citation: Carbon Black Emotet Apr 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--2209a958-9359-4866-80e9-80d0cc660868 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a5575606-9b85-4e3d-9cd2-40ef30e3672d; | |
stix:target_ref :attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1; | |
dcterms:created "2019-04-17T18:43:36.389Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SpeakUp](https://attack.mitre.org/software/S0374) uses Python scripts.(Citation: CheckPoint SpeakUp Feb 2019)"; | |
dcterms:modified "2020-03-19T17:09:03.651Z"^^xsd:dateTime . | |
:relationship--7bf67f44-6349-4576-8145-44e53a91676a | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--83a766f8-1501-4b3a-a2de-2e2849e8dfc1; | |
stix:target_ref :attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b; | |
dcterms:created "2020-03-11T14:58:52.196Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--0fe893d6-a52f-4828-a792-eeb6a3e4f979 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--12cba7de-0a22-4a56-b51e-c514c67c3b43; | |
stix:target_ref :attack-pattern--ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c253f0c5-1802-4853-b93f-c426d2a48fae | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--6cd07296-14aa-403d-9229-6343d03d4752; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2021-06-21T18:07:57.500Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cuba](https://attack.mitre.org/software/S0625) can enumerate processes running on a victim's machine.(Citation: McAfee Cuba April 2021)"; | |
dcterms:modified "2021-08-31T21:30:39.509Z"^^xsd:dateTime . | |
:relationship--3d8e97f7-9c58-47e1-b2c9-2cc55cca974f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--edc5e045-5401-42bb-ad92-52b5b2ee0de9; | |
stix:target_ref :attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004; | |
dcterms:created "2021-09-28T15:46:27.092Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QakBot](https://attack.mitre.org/software/S0650) can target and steal locally stored emails to support thread hijacking phishing campaigns.(Citation: Kroll Qakbot June 2020)\n(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Kaspersky QakBot September 2021)"; | |
dcterms:modified "2021-10-13T18:28:38.894Z"^^xsd:dateTime . | |
:relationship--ca56b2a6-39a7-4449-9017-fa8ce4285ed5 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--2f7f03bb-f367-4a5a-ad9b-310a12a48906; | |
stix:target_ref :attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b; | |
dcterms:created "2023-09-14T19:01:00.251Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ngrok](https://attack.mitre.org/software/S0508) can tunnel RDP and other services securely over internet connections.(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes Ngrok February 2020)(Citation: Trend Micro Ngrok September 2020)"; | |
dcterms:modified "2023-09-14T19:01:00.251Z"^^xsd:dateTime . | |
:relationship--2dcd6644-f1d4-4001-81a5-95701fd29360 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2c2ad92a-d710-41ab-a996-1db143bb4808; | |
stix:target_ref :attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e; | |
dcterms:created "2020-01-30T16:36:51.574Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located <code>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy</code>.\n\nThrough GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons.(Citation: GitHub IAD Secure Host Baseline UAC Filtering)"; | |
dcterms:modified "2021-08-31T19:55:02.841Z"^^xsd:dateTime . | |
:relationship--f9283994-d216-4796-989d-a375eb4834a9 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a; | |
stix:target_ref :attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3; | |
dcterms:created "2019-01-30T19:27:46.126Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cobalt Group](https://attack.mitre.org/groups/G0080) has added persistence by registering the file name for the next stage malware under <code>HKCU\\Environment\\UserInitMprLogonScript</code>.(Citation: Morphisec Cobalt Gang Oct 2018)"; | |
dcterms:modified "2020-01-17T22:28:55.233Z"^^xsd:dateTime . | |
:relationship--618cfee6-a12a-4e17-b66b-cbd965a08357 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--39a130e1-6ab7-434a-8bd2-418e7d9d6427; | |
stix:target_ref :attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c; | |
dcterms:created "2020-03-19T15:12:13.292Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--2caa19fb-fe02-4365-b53a-1ff554a13889 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--26d9ebae-de59-427f-ae9a-349456bae4b1; | |
stix:target_ref :attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9; | |
dcterms:created "2022-09-07T13:51:23.961Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors collected information via [Empire](https://attack.mitre.org/software/S0363), which was automatically sent back to the adversary's C2.(Citation: Talos Frankenstein June 2019)"; | |
dcterms:modified "2022-09-21T15:05:31.974Z"^^xsd:dateTime . | |
:attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86301566 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Application Shimming"; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* <code>%WINDIR%\\AppPatch\\sysmain.sdb</code>\n* <code>hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb</code>\n\nCustom databases are stored in:\n\n* <code>%WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom</code>\n* <code>hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom</code>\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--7b5919ce-efab-45d1-855b-f827d7489b2b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe; | |
stix:target_ref :attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Nidiran](https://attack.mitre.org/software/S0118) uses RC4 to encrypt C2 traffic.(Citation: Symantec Suckfly May 2016)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--5ebd97d4-1979-40b2-b38b-b6ed44a2f32f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cbf646f1-7db5-4dc6-808b-0094313949df; | |
stix:target_ref :attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "One variant of [CloudDuke](https://attack.mitre.org/software/S0054) uses a Microsoft OneDrive account to exchange commands and stolen data with its operators.(Citation: F-Secure The Dukes)"; | |
dcterms:modified "2020-03-20T21:07:48.537Z"^^xsd:dateTime . | |
:relationship--9d239fc5-5d40-4991-ae41-761686ab43a2 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--420ac20b-f2b9-42b8-aa1a-6d4b72895ca4; | |
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597; | |
dcterms:created "2021-04-13T20:27:51.729Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used spearphishing attachments to deliver initial access payloads.(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)"; | |
dcterms:modified "2022-03-16T18:38:10.452Z"^^xsd:dateTime . | |
:relationship--ce26fb61-137e-489c-8c69-d2ac5a9f59ce | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--2c5281dd-b5fd-4531-8aea-c1bf8a0f8756; | |
stix:target_ref :attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe; | |
dcterms:created "2022-02-01T15:08:45.248Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AADInternals](https://attack.mitre.org/software/S0677) can enumerate Azure AD users.(Citation: AADInternals Documentation)"; | |
dcterms:modified "2022-04-13T14:22:52.901Z"^^xsd:dateTime . | |
:relationship--aca30dc6-34c2-45f3-87a4-9d9abda01036 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2021-04-09T16:08:58.515Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Windshift](https://attack.mitre.org/groups/G0112) has used tools that communicate with C2 over HTTP.(Citation: BlackBerry Bahamut)"; | |
dcterms:modified "2021-05-24T13:16:56.581Z"^^xsd:dateTime . | |
:relationship--033a5e59-ab65-485b-a9c0-775977e8abd0 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--dcac85c1-6485-4790-84f6-de5e6f6b91dd; | |
stix:target_ref :attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4; | |
dcterms:created "2019-06-21T17:23:28.006Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PowerStallion](https://attack.mitre.org/software/S0393) uses Microsoft OneDrive as a C2 server via a network drive mapped with <code>net use</code>.(Citation: ESET Turla PowerShell May 2019)"; | |
dcterms:modified "2020-03-20T21:24:24.092Z"^^xsd:dateTime . | |
:relationship--12c14ace-db29-4b08-a052-ba867c9ba534 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--32066e94-3112-48ca-b9eb-ba2b59d2f023; | |
stix:target_ref :attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18; | |
dcterms:created "2020-03-30T19:29:56.297Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Emotet](https://attack.mitre.org/software/S0367) has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.(Citation: Talos Emotet Jan 2019)(Citation: Binary Defense Emotes Wi-Fi Spreader)"; | |
dcterms:modified "2023-09-29T20:25:07.828Z"^^xsd:dateTime . | |
:relationship--8bba06f3-fac2-4484-a177-53d5716f80a6 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2022-07-14T17:22:54.577Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TA505](https://attack.mitre.org/groups/G0092) has decrypted packed DLLs with an XOR key.(Citation: NCC Group TA505)"; | |
dcterms:modified "2022-07-14T18:26:34.872Z"^^xsd:dateTime . | |
:relationship--8492aff7-1171-4805-9052-3decdd677c94 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--29231689-5837-4a7a-aafc-1b65b3f50cc7; | |
stix:target_ref :attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433; | |
dcterms:created "2021-06-29T15:21:28.785Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RainyDay](https://attack.mitre.org/software/S0629) has the ability to switch between TCP and HTTP for C2 if one method is not working.(Citation: Bitdefender Naikon April 2021)"; | |
dcterms:modified "2021-06-29T15:21:28.785Z"^^xsd:dateTime . | |
:relationship--3f27ef2a-48e8-4d37-8618-fe61dfcafd3e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :tool--4664b683-f578-434f-919b-1c1aad2a1111; | |
dcterms:created "2019-09-23T23:14:16.750Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye APT41 Aug 2019)"; | |
dcterms:modified "2023-03-23T15:27:10.510Z"^^xsd:dateTime . | |
:relationship--f5e2c4ef-fe56-416e-8d74-733272c7310b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542; | |
stix:target_ref :malware--a8839c95-029f-44cf-8f3d-a3cf2039e927; | |
dcterms:created "2021-04-16T19:04:13.689Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL Profile)"; | |
dcterms:modified "2022-02-24T20:32:44.499Z"^^xsd:dateTime . | |
:relationship--d6dcaa34-12d9-45f3-8f7b-397c2da0995a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a19c1197-9414-46e3-986f-0f609ff4a46b; | |
stix:target_ref :attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a; | |
dcterms:created "2021-03-02T16:42:09.492Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pysa](https://attack.mitre.org/software/S0583) has the functionality to delete shadow copies.(Citation: CERT-FR PYSA April 2020) "; | |
dcterms:modified "2021-03-02T16:42:09.492Z"^^xsd:dateTime . | |
:relationship--847752f4-59a2-46e9-ae28-befe0142b223 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--199463de-d9be-46d6-bb41-07234c1dd5a6; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GeminiDuke](https://attack.mitre.org/software/S0049) collects information on network settings and Internet proxy settings from the victim.(Citation: F-Secure The Dukes)"; | |
dcterms:modified "2020-03-17T01:22:53.941Z"^^xsd:dateTime . | |
:relationship--be7f2951-ce33-4d48-ad9c-69071e54ae18 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--925a6c52-5cf0-4fec-99de-b0d6917d8593; | |
stix:target_ref :attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9; | |
dcterms:created "2020-12-07T21:06:57.852Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Crutch](https://attack.mitre.org/software/S0538) has automatically exfiltrated stolen files to Dropbox.(Citation: ESET Crutch December 2020)"; | |
dcterms:modified "2020-12-07T21:06:57.852Z"^^xsd:dateTime . | |
:relationship--dd48cdb6-ab24-410b-ac3e-624b1ed8cf92 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e2d34c63-6f5a-41f5-86a2-e2380f27f858; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2021-03-01T21:23:22.799Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AppleJeus](https://attack.mitre.org/software/S0584) has required user execution of a malicious MSI installer.(Citation: CISA AppleJeus Feb 2021)"; | |
dcterms:modified "2021-03-01T21:23:22.799Z"^^xsd:dateTime . | |
:relationship--cd10cc85-ccc4-4683-9421-9254a0d1259a | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--cc150ad8-ecfa-4340-9aaa-d21165873bd4; | |
stix:target_ref :attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5; | |
dcterms:created "2022-03-30T14:26:51.841Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for logged domain name system (DNS) registry data that may compromise third-party DNS servers that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--9de77d26-6424-4ee8-bd7d-1ae705020c55 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--f9cc545e-b0ef-4b92-8884-a3a4427609f6; | |
stix:target_ref :attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3; | |
dcterms:created "2022-10-05T16:02:55.768Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "For [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors established domains, some of which appeared to spoof legitimate domains.(Citation: BlackBerry CostaRicto November 2020)"; | |
dcterms:modified "2022-10-05T16:02:55.768Z"^^xsd:dateTime . | |
:relationship--9e07c247-c778-496d-9972-6581f2d10c93 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--00806466-754d-44ea-ad6f-0caf59cb8556; | |
stix:target_ref :attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0; | |
dcterms:created "2021-10-01T14:12:52.920Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TrickBot](https://attack.mitre.org/software/S0266) has used <code>printf</code> and file I/O loops to delay process execution as part of API hammering.(Citation: Joe Sec Trickbot)"; | |
dcterms:modified "2021-10-01T14:12:52.920Z"^^xsd:dateTime . | |
:relationship--a33d759f-6106-4e67-9452-72b684ab209a | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c; | |
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c; | |
dcterms:created "2021-03-04T22:05:10.085Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has performed file deletion to evade detection.(Citation: Cycraft Chimera April 2020) "; | |
dcterms:modified "2023-02-06T18:11:56.976Z"^^xsd:dateTime . | |
:intrusion-set--e5603ea8-4c36-40e7-b7af-a077d24fedc1 | |
rdf:type stix:IntrusionSet; | |
rdfs:label "IndigoZebra"; | |
dcterms:created "2021-09-24T21:41:34.797Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[IndigoZebra](https://attack.mitre.org/groups/G0136) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)"; | |
dcterms:modified "2021-10-16T02:06:06.404Z"^^xsd:dateTime . | |
:relationship--34ff9bfb-0b3a-4b83-af85-60700ed052f4 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f; | |
stix:target_ref :attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0; | |
dcterms:created "2021-05-26T20:19:44.143Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[menuPass](https://attack.mitre.org/groups/G0045) has used and modified open-source tools like [Impacket](https://attack.mitre.org/software/S0357), [Mimikatz](https://attack.mitre.org/software/S0002), and [pwdump](https://attack.mitre.org/software/S0006).(Citation: PWC Cloud Hopper Technical Annex April 2017)"; | |
dcterms:modified "2023-03-23T15:14:18.615Z"^^xsd:dateTime . | |
:relationship--b0f355cc-e11f-4027-9db3-59ec64cd367f | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b; | |
stix:target_ref :attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0; | |
dcterms:created "2019-01-30T16:45:00.072Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LaZagne](https://attack.mitre.org/software/S0349) can obtain credentials from databases, mail, and WiFi across multiple platforms.(Citation: GitHub LaZagne Dec 2018)"; | |
dcterms:modified "2020-03-25T15:46:35.771Z"^^xsd:dateTime . | |
:relationship--90ae4d92-9278-4cdd-a71c-b217a8bbb86a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--295721d2-ee20-4fa3-ade3-37f4146b4570; | |
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670; | |
dcterms:created "2021-06-10T15:41:34.691Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to use multiple dynamically resolved API calls.(Citation: Malwarebytes Kimsuky June 2021)"; | |
dcterms:modified "2021-06-10T15:41:34.691Z"^^xsd:dateTime . | |
:relationship--9ee8a8fb-798e-4fa0-9ae0-ab96e75c9f4e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--abc5a1d4-f0dc-49d1-88a1-4a80e478bb03; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2021-11-24T20:17:35.504Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LazyScripter](https://attack.mitre.org/groups/G0140) has used PowerShell scripts to execute malicious code.(Citation: MalwareBytes LazyScripter Feb 2021)"; | |
dcterms:modified "2022-04-06T19:13:54.278Z"^^xsd:dateTime . | |
:relationship--c92d9edc-e2a9-44e4-95ef-81632eaf14f9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d18cb958-f4ad-4fb3-bb4f-e8994d206550; | |
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d; | |
dcterms:created "2021-03-11T18:06:46.876Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Penquin](https://attack.mitre.org/software/S0587) can execute the command code <code>do_upload</code> to send files to C2.(Citation: Leonardo Turla Penquin May 2020)"; | |
dcterms:modified "2022-09-28T21:27:07.144Z"^^xsd:dateTime . | |
:relationship--8b12a0c5-9e30-47ef-a786-5c5eeaf52240 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2020-08-04T15:35:30.364Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[REvil](https://attack.mitre.org/software/S0496) has used encrypted strings and configuration files.(Citation: G Data Sodinokibi June 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)"; | |
dcterms:modified "2021-04-06T14:42:52.400Z"^^xsd:dateTime . | |
:relationship--570da7ec-2d72-4e1b-9f30-f0e1a10085bf | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e85cae1a-bce3-4ac4-b36b-b00acac0567b; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2019-04-16T17:43:42.929Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[POWERTON](https://attack.mitre.org/software/S0371) is written in PowerShell.(Citation: FireEye APT33 Guardrail)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:attack-pattern--59ff91cd-1430-4075-8563-e6f15f4f9ff5 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "DHCP Spoofing"; | |
dcterms:created "2022-03-24T19:30:56.727Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nDHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.(Citation: rfc2131) The typical server-client interaction is as follows: \n\n1. The client broadcasts a `DISCOVER` message.\n\n2. The server responds with an `OFFER` message, which includes an available network address. \n\n3. The client broadcasts a `REQUEST` message, which includes the network address offered. \n\n4. The server acknowledges with an `ACK` message and the client receives the network configuration parameters.\n\nAdversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.(Citation: new_rogue_DHCP_serv_malware)(Citation: w32.tidserv.g) Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.\n\nDHCPv6 clients can receive network configuration information without being assigned an IP address by sending a <code>INFORMATION-REQUEST (code 11)</code> message to the <code>All_DHCP_Relay_Agents_and_Servers</code> multicast address.(Citation: rfc3315) Adversaries may use their rogue DHCP server to respond to this request message with malicious network configurations.\n\nRather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e, [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)) by generating many broadcast DISCOVER messages to exhaust a network’s DHCP allocation pool. "; | |
dcterms:modified "2022-11-08T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--df1b67d2-8a37-4803-a05d-9bbdb0f30819 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2; | |
stix:target_ref :attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7; | |
dcterms:created "2021-04-08T15:41:46.444Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.(Citation: Trend Micro Muddy Water March 2021)(Citation: Anomali Static Kitten February 2021) "; | |
dcterms:modified "2021-04-08T19:31:30.904Z"^^xsd:dateTime . | |
:relationship--afa84fd1-e910-4bc7-8270-1e9f9b02b53f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--536be338-e2ef-4a6b-afb6-8d5568b91eb2; | |
stix:target_ref :attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kazuar](https://attack.mitre.org/software/S0265) gathers information about opened windows.(Citation: Unit 42 Kazuar May 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--891a97f1-d3e2-45ff-a079-43dcad21a175 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0; | |
stix:target_ref :attack-pattern--deb98323-e13f-4b0c-8d94-175379069062; | |
dcterms:created "2017-05-31T21:33:27.077Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "A [Patchwork](https://attack.mitre.org/groups/G0040) payload was packed with UPX.(Citation: Securelist Dropping Elephant)"; | |
dcterms:modified "2020-03-19T19:58:58.101Z"^^xsd:dateTime . | |
:relationship--d013882b-1092-46e4-8c07-f74e5ca2df97 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8; | |
stix:target_ref :attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c; | |
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for files that write or overwrite many files to a network shared directory may be suspicious."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c92047b8-50d6-4fde-8acd-98132dcdc32f | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--afc079f3-c0ea-4096-b75d-3f05338b7f60; | |
stix:target_ref :attack-pattern--d336b553-5da9-46ca-98a8-0b23f49fb447; | |
dcterms:created "2020-11-23T17:38:03.062Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mimikatz](https://attack.mitre.org/software/S0002) contains functionality to acquire credentials from the Windows Credential Manager.(Citation: Delpy Mimikatz Crendential Manager)"; | |
dcterms:modified "2020-11-23T17:38:03.062Z"^^xsd:dateTime . | |
:relationship--51cc7dff-7fb4-41bc-a67d-39598f14f1d8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Smoke Loader](https://attack.mitre.org/software/S0226) adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--c8f79da7-cfd6-41fd-89d4-c015e7289b64 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc; | |
stix:target_ref :attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0; | |
dcterms:created "2019-04-23T12:38:37.637Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) has modules for enumerating domain trusts.(Citation: GitHub PoshC2)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--16952ba0-4fae-450b-990c-2b771efbd60f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f; | |
stix:target_ref :attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc; | |
dcterms:created "2020-03-19T22:16:54.814Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT33](https://attack.mitre.org/groups/G0064) has used a variety of publicly available tools like [LaZagne](https://attack.mitre.org/software/S0349) to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)"; | |
dcterms:modified "2020-03-19T22:16:54.814Z"^^xsd:dateTime . | |
:relationship--49f3c807-a801-4cfe-ad1c-6966bea2fc8a | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--cb69b20d-56d0-41ab-8440-4a4b251614d4; | |
stix:target_ref :attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pupy](https://attack.mitre.org/software/S0192) can record sound with the microphone.(Citation: GitHub Pupy)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--7b5178ce-a9bc-405e-b062-22b4276fbf99 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77; | |
stix:target_ref :attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QUADAGENT](https://attack.mitre.org/software/S0269) was likely obfuscated using `Invoke-Obfuscation`.(Citation: Unit 42 QUADAGENT July 2018)(Citation: GitHub Invoke-Obfuscation)"; | |
dcterms:modified "2023-03-22T05:20:42.687Z"^^xsd:dateTime . | |
:relationship--0bb4fb8a-0b0f-46c6-820b-d46c5f98fa12 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4b68b5ea-2e1b-4225-845b-8632f702b9a0; | |
stix:target_ref :attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783; | |
dcterms:created "2020-06-09T21:23:39.119Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)"; | |
dcterms:modified "2020-06-25T13:32:00.131Z"^^xsd:dateTime . | |
:relationship--bc592166-c29c-4913-b8a0-ec266321a325 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--9735c036-8ebe-47e9-9c77-b0ae656dab93; | |
stix:target_ref :tool--da04ac30-27da-4959-a67d-450ce47d9470; | |
dcterms:created "2021-09-21T14:52:49.732Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: ESET BackdoorDiplomacy Jun 2021)"; | |
dcterms:modified "2021-09-21T17:11:52.855Z"^^xsd:dateTime . | |
:relationship--5a72e713-c8fb-4438-9a08-0ded824381dd | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31; | |
stix:target_ref :attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071; | |
dcterms:created "2020-01-24T15:01:33.185Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Odbcconf.exe may not be necessary within a given environment."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--45310a29-78b6-4863-ab0b-49fd53ef1809 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--aad11e34-02ca-4220-91cd-2ed420af4db3; | |
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c; | |
dcterms:created "2020-05-04T19:13:35.449Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to clean up installed files, delete files, and delete itself from the victim’s machine.(Citation: Carbon Black HotCroissant April 2020)"; | |
dcterms:modified "2020-05-06T19:28:22.178Z"^^xsd:dateTime . | |
:relationship--c9a1bcec-9a4d-4693-accb-5a6f67b857f6 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3; | |
stix:target_ref :attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0; | |
dcterms:created "2020-02-12T18:55:24.841Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--331f7990-d817-49ec-9d55-c4c64da7f4a6 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7e0f8b0f-716e-494d-827e-310bd6ed709e; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2021-09-22T21:57:30.229Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.(Citation: FireEye SMOKEDHAM June 2021)"; | |
dcterms:modified "2021-10-14T18:34:24.287Z"^^xsd:dateTime . | |
:relationship--bd5fd2c2-a9a3-401e-8723-92df94f9c482 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--835a79f1-842d-472d-b8f4-d54b545c341b; | |
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670; | |
dcterms:created "2021-10-11T17:54:11.520Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bandook](https://attack.mitre.org/software/S0234) has used the ShellExecuteW() function call.(Citation: CheckPoint Bandook Nov 2020) "; | |
dcterms:modified "2021-10-11T17:54:11.520Z"^^xsd:dateTime . | |
:relationship--c81c6d91-00f3-4c8b-bf34-929972685aa3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--b4d80f8b-d2b9-4448-8844-4bef777ed676; | |
stix:target_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579; | |
dcterms:created "2019-01-29T20:05:36.454Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[NanoCore](https://attack.mitre.org/software/S0336) can modify the victim's anti-virus.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016)"; | |
dcterms:modified "2020-03-28T00:59:59.461Z"^^xsd:dateTime . | |
:relationship--6d8b1f40-48a0-484b-8eea-48195a8bfff2 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579; | |
stix:target_ref :attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529; | |
dcterms:created "2020-02-21T20:32:21.128Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--8b1d88b8-7990-4fef-9dd0-1a422a81d62c | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6; | |
stix:target_ref :attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4; | |
dcterms:created "2022-03-30T14:26:51.846Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)"; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3d6e0a95-3265-4a0c-aee1-feff2807489b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2021-11-12T20:43:05.878Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Threat Group-3390](https://attack.mitre.org/groups/G0027) has lured victims into opening malicious files containing malware.(Citation: Trend Micro DRBControl February 2020)"; | |
dcterms:modified "2021-11-12T20:43:05.878Z"^^xsd:dateTime . | |
:course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Execution Prevention"; | |
dcterms:created "2019-06-11T16:35:25.488Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Block execution of code on a system through application control, and/or script blocking."; | |
dcterms:modified "2022-02-28T19:50:41.210Z"^^xsd:dateTime . | |
:relationship--c0a10dc5-51e4-4ec3-a827-4999bde3ed58 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--1f0f9a14-11aa-49aa-9174-bcd0eaa979de; | |
stix:target_ref :tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b; | |
dcterms:created "2021-01-27T19:37:49.570Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: ESET EvilNum July 2020)"; | |
dcterms:modified "2021-01-27T19:37:49.570Z"^^xsd:dateTime . | |
:relationship--9d28bf78-0fde-4efd-85b2-fc1960f1b386 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--dff90475-9f72-41a6-84ed-1fbefd3874c0; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2022-07-25T18:36:59.018Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Heyoka Backdoor](https://attack.mitre.org/software/S1027) has the ability to search the compromised host for files.(Citation: SentinelOne Aoqin Dragon June 2022)"; | |
dcterms:modified "2022-07-25T18:36:59.018Z"^^xsd:dateTime . | |
:attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Shared Modules"; | |
dcterms:created "2017-05-31T21:31:40.542Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\n\nThe Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)\n\nThe Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)"; | |
dcterms:modified "2023-10-12T21:17:14.868Z"^^xsd:dateTime . | |
:relationship--09c10778-19ad-441a-8a75-a3cf1288f960 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9; | |
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sykipot](https://attack.mitre.org/software/S0018) may use <code>net start</code> to display running services.(Citation: AlienVault Sykipot 2011)"; | |
dcterms:modified "2020-03-16T17:50:28.664Z"^^xsd:dateTime . | |
:relationship--9c98640e-0307-48bb-aafc-af14a774fd5b | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3; | |
stix:target_ref :attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004; | |
dcterms:created "2019-03-11T19:24:08.172Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Empire](https://attack.mitre.org/software/S0363) has the ability to collect emails on a target system.(Citation: Github PowerShell Empire)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--2398e409-24d3-4dd9-9353-8b6cf9eee81d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d6e55656-e43f-411f-a7af-45df650471c5; | |
stix:target_ref :attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56; | |
dcterms:created "2021-04-08T18:09:43.112Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kinsing](https://attack.mitre.org/software/S0599) has used Unix shell scripts to execute commands in the victim environment.(Citation: Aqua Kinsing April 2020)"; | |
dcterms:modified "2021-04-08T18:09:43.112Z"^^xsd:dateTime . | |
:relationship--1a849525-ee44-4c28-86b2-fe883c45dc79 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258; | |
stix:target_ref :attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81; | |
dcterms:created "2019-07-18T21:12:51.535Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GALLIUM](https://attack.mitre.org/groups/G0093) leveraged valid accounts to maintain access to a victim network.(Citation: Cybereason Soft Cell June 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--1bccb381-1d71-4c9a-8785-2ada562234f2 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65; | |
stix:target_ref :attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81; | |
dcterms:created "2020-03-13T20:36:57.505Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--6512ebc3-cc9f-48e1-9a57-a5deb062f123 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2020-05-21T14:55:00.293Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used scripts to collect the host's network topology.(Citation: TrendMicro Tropic Trooper May 2020)\t"; | |
dcterms:modified "2020-05-21T14:55:00.293Z"^^xsd:dateTime . | |
:relationship--865fe9a3-35e7-4c5f-9292-fcf65f255615 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--987988f0-cf86-4680-a875-2f6456ab2448; | |
stix:target_ref :attack-pattern--6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df; | |
dcterms:created "2019-06-25T14:14:54.409Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a8b93875-6ad4-492e-afa1-0549ada7d7ca | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56; | |
dcterms:created "2020-04-30T20:31:38.012Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) executed <code>file /bin/pwd</code> in activity exploiting CVE-2019-19781 against Citrix devices.(Citation: FireEye APT41 March 2020)"; | |
dcterms:modified "2020-04-30T20:31:38.012Z"^^xsd:dateTime . | |
:relationship--64a40a9a-ddea-430d-ab08-77c350d83497 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--295721d2-ee20-4fa3-ade3-37f4146b4570; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2021-06-11T19:29:44.680Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AppleSeed](https://attack.mitre.org/software/S0622) can collect data on a compromised host.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)"; | |
dcterms:modified "2022-04-12T18:37:03.594Z"^^xsd:dateTime . | |
:relationship--a31ed7a5-8ed3-46e7-8e3b-32935023e19b | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520; | |
stix:target_ref :attack-pattern--451a9977-d255-43c9-b431-66de80130c8c; | |
dcterms:created "2022-09-30T21:18:42.043Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description ""; | |
dcterms:modified "2022-09-30T21:18:42.043Z"^^xsd:dateTime . | |
:relationship--670efee1-b854-4d39-85b1-b6038e3580e3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--edc5e045-5401-42bb-ad92-52b5b2ee0de9; | |
stix:target_ref :attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82; | |
dcterms:created "2021-09-28T19:49:13.903Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QakBot](https://attack.mitre.org/software/S0650) can move laterally using worm-like functionality through exploitation of SMB.(Citation: Crowdstrike Qakbot October 2020)"; | |
dcterms:modified "2021-09-28T19:49:13.903Z"^^xsd:dateTime . | |
:relationship--cd8c30eb-063a-4ee9-b67b-3668fae4df38 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--3bd2cf87-1ceb-4317-9aee-3e7dc713261b; | |
stix:target_ref :attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd; | |
dcterms:created "2020-03-10T17:45:00.302Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--d101870c-304e-4597-a292-7d5e8c870f95 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--2c5281dd-b5fd-4531-8aea-c1bf8a0f8756; | |
stix:target_ref :attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc; | |
dcterms:created "2022-02-01T15:08:45.251Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AADInternals](https://attack.mitre.org/software/S0677) can dump secrets from the Local Security Authority.(Citation: AADInternals Documentation)"; | |
dcterms:modified "2022-04-13T14:23:09.136Z"^^xsd:dateTime . | |
:relationship--b842af96-8422-4b23-bd17-35d123c5a9b5 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c; | |
stix:target_ref :attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00; | |
dcterms:created "2021-11-29T21:18:40.003Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Threat Group-3390](https://attack.mitre.org/groups/G0027) has compromised the Able Desktop installer to gain access to victim's environments.(Citation: Trend Micro Iron Tiger April 2021)"; | |
dcterms:modified "2021-11-29T21:18:40.003Z"^^xsd:dateTime . | |
:relationship--19161920-e6b5-481f-a240-62f05c624010 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--b42378e0-f147-496f-992a-26a49705395b; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PoisonIvy](https://attack.mitre.org/software/S0012) creates a Registry subkey that registers a new system device.(Citation: Symantec Darkmoon Aug 2005)"; | |
dcterms:modified "2020-03-16T16:57:13.393Z"^^xsd:dateTime . | |
:relationship--9ffc8525-79a5-40a2-b371-46052daf66c5 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f; | |
stix:target_ref :attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27; | |
dcterms:created "2019-06-13T16:04:04.082Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c7602a92-d2d5-488d-b0b7-986ec1ef594d | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542; | |
stix:target_ref :attack-pattern--7e7c2fba-7cca-486c-9582-4c1bb2851961; | |
dcterms:created "2022-02-10T16:46:33.851Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.(Citation: ESET T3 Threat Report 2021)"; | |
dcterms:modified "2022-02-10T16:46:33.851Z"^^xsd:dateTime . | |
:relationship--e1f948d0-7627-408c-a2c9-669e30e43782 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe; | |
dcterms:created "2023-01-04T18:57:43.336Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Mandiant APT41)"; | |
dcterms:modified "2023-01-04T18:57:43.336Z"^^xsd:dateTime . | |
:relationship--3f010259-666c-403b-b5c7-603b319583da | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842; | |
stix:target_ref :tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9; | |
dcterms:created "2020-05-05T19:37:33.785Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: QiAnXin APT-C-36 Feb2019)"; | |
dcterms:modified "2020-10-14T14:40:36.542Z"^^xsd:dateTime . | |
:relationship--978d8c12-bf39-440f-ac17-b66970451152 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d; | |
stix:target_ref :malware--d5268dfb-ae2b-4e0e-ac07-02a460613d8a; | |
dcterms:created "2019-02-18T20:17:17.641Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye APT34 Dec 2017) (Citation: Palo Alto OilRig Sep 2018)"; | |
dcterms:modified "2020-03-18T20:18:02.875Z"^^xsd:dateTime . | |
:relationship--a68d8191-b374-4741-a249-1db3515d581b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258; | |
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c; | |
dcterms:created "2019-07-19T17:14:24.029Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GALLIUM](https://attack.mitre.org/groups/G0093) compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)"; | |
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--062f7bee-8b54-4edd-aca9-11437b7cbc8b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f; | |
stix:target_ref :attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0; | |
dcterms:created "2022-03-15T19:56:31.062Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has developed its own unique malware such as MailFetch.py for use in operations.(Citation: KISA Operation Muzabi)(Citation: Talos Kimsuky Nov 2021)"; | |
dcterms:modified "2022-04-18T19:49:12.056Z"^^xsd:dateTime . | |
:relationship--b001d78a-afd6-47bb-bdb5-73e967e35a13 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--2f41939b-54c3-41d6-8f8b-35f1ec18ed97; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2022-09-29T18:30:12.366Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description ""; | |
dcterms:modified "2022-09-29T18:30:12.366Z"^^xsd:dateTime . | |
:relationship--229150e3-5c4b-475e-8981-27fb472ad119 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b; | |
stix:target_ref :attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc; | |
dcterms:created "2020-03-19T23:11:54.931Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LaZagne](https://attack.mitre.org/software/S0349) can obtain credentials from chats, databases, mail, and WiFi.(Citation: GitHub LaZagne Dec 2018)"; | |
dcterms:modified "2020-03-19T23:11:54.931Z"^^xsd:dateTime . | |
:relationship--e09c37a3-ae23-403e-93d5-aef4953bd43c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1; | |
stix:target_ref :attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Orangeworm](https://attack.mitre.org/groups/G0071) has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.(Citation: Symantec Orangeworm April 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--6ee04a90-7158-43a6-8133-9b498f1fef2c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--72911fe3-f085-40f7-b4f2-f25a4221fe44; | |
stix:target_ref :attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814; | |
dcterms:created "2022-04-15T17:19:18.492Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FoggyWeb](https://attack.mitre.org/software/S0661) can allow abuse of a compromised AD FS server's SAML token.(Citation: MSTIC FoggyWeb September 2021)"; | |
dcterms:modified "2022-04-15T17:19:18.492Z"^^xsd:dateTime . | |
:relationship--ef318b23-1b8c-4c24-ad20-09c0977a73b3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e48df773-7c95-4a4c-ba70-ea3d15900148; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DownPaper](https://attack.mitre.org/software/S0186) uses the command line.(Citation: ClearSky Charming Kitten Dec 2017)"; | |
dcterms:modified "2020-03-20T17:05:40.089Z"^^xsd:dateTime . | |
:relationship--f7120568-70db-4111-985c-9970775206c1 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c; | |
stix:target_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616; | |
dcterms:created "2020-11-06T18:40:38.498Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)"; | |
dcterms:modified "2023-02-06T18:11:56.982Z"^^xsd:dateTime . | |
:relationship--a77f2c84-7538-48f5-8809-df2fa47ab6df | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--8d2bc130-89fe-466e-a4f9-6bce6129c2b8; | |
stix:target_ref :tool--2e45723a-31da-4a7e-aaa6-e01998a6788f; | |
dcterms:created "2022-09-21T14:48:46.354Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Bitdefender FunnyDream Campaign November 2020)"; | |
dcterms:modified "2022-09-23T20:55:50.611Z"^^xsd:dateTime . | |
:relationship--78e4027f-b5ff-4cb3-8b27-ab931baf3476 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55; | |
stix:target_ref :attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541; | |
dcterms:created "2021-02-23T20:50:33.341Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Conficker](https://attack.mitre.org/software/S0608) variants spread through NetBIOS share propagation.(Citation: SANS Conficker)"; | |
dcterms:modified "2021-10-14T16:53:14.448Z"^^xsd:dateTime . | |
:relationship--cf36b530-36fa-40f5-b11c-94b5f5cfaf76 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--295721d2-ee20-4fa3-ade3-37f4146b4570; | |
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c; | |
dcterms:created "2021-06-11T17:02:07.723Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AppleSeed](https://attack.mitre.org/software/S0622) can delete files from a compromised host after they are exfiltrated.(Citation: Malwarebytes Kimsuky June 2021)"; | |
dcterms:modified "2021-06-11T17:02:07.723Z"^^xsd:dateTime . | |
:relationship--7fe2431d-30b9-45ef-8857-ecef17e428a9 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c; | |
stix:target_ref :attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT37](https://attack.mitre.org/groups/G0067) has used Windows DDE for execution of commands and a malicious VBS.(Citation: Securelist ScarCruft Jun 2016)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--5bfd02aa-acc6-47a0-8867-d7962ce775f6 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :tool--b77b563c-34bb-4fb8-86a3-3694338f7b47; | |
dcterms:created "2019-09-24T12:31:43.884Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)"; | |
dcterms:modified "2023-03-23T15:45:58.852Z"^^xsd:dateTime . | |
:relationship--380db9ad-f6ad-4988-8a28-b773313f07b7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e066bf86-9cfb-407a-9d25-26fd5d91e360; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HTTPBrowser](https://attack.mitre.org/software/S0070) is capable of spawning a reverse shell on a victim.(Citation: Dell TG-3390)"; | |
dcterms:modified "2020-03-20T02:22:13.351Z"^^xsd:dateTime . | |
:relationship--686d91dc-692b-48a0-829b-2556c6415f59 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6; | |
stix:target_ref :malware--925a6c52-5cf0-4fec-99de-b0d6917d8593; | |
dcterms:created "2020-12-06T23:49:08.052Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: ESET Crutch December 2020)(Citation: Talos TinyTurla September 2021)"; | |
dcterms:modified "2021-12-02T15:45:11.521Z"^^xsd:dateTime . | |
:relationship--dab25d1d-e38b-491d-9842-8de94999744f | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--93a6e38c-02a5-44d8-9035-b2e08459f31f; | |
stix:target_ref :attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf; | |
dcterms:created "2022-03-30T14:26:51.838Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Consider analyzing self-signed code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, and common name. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in crafting self-signed code signing certificates.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--bfdffc50-dba0-41d1-a332-0a02a0a8de07 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e; | |
stix:target_ref :attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541; | |
dcterms:created "2019-01-31T01:07:58.487Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) used [Net](https://attack.mitre.org/software/S0039) to use Windows' hidden network shares to copy their tools to remote machines for execution.(Citation: Cybereason Cobalt Kitty 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Dynamic Linker Hijacking"; | |
dcterms:created "2020-03-13T20:09:59.569Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\n\nOn Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the <code>export</code> command, <code>setenv</code> function, or <code>putenv</code> function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s <code>os.environ</code>.\n\nOn Linux, adversaries may set <code>LD_PRELOAD</code> to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. <code>LD_PRELOAD</code> can be set via the environment variable or <code>/etc/ld.so.preload</code> file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by <code>LD_PRELOAD</code> are loaded and mapped into memory by <code>dlopen()</code> and <code>mmap()</code> respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) \n\nOn macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the <code>DYLD_INSERT_LIBRARIES</code> environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) "; | |
dcterms:modified "2023-05-09T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--51551fb5-48df-4143-9163-9b7ffe35bf8f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca; | |
stix:target_ref :attack-pattern--19bf235b-8620-4997-b5b4-94e0659ed7c3; | |
dcterms:created "2021-10-01T01:57:31.785Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has queried the AWS instance metadata service for credentials.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)"; | |
dcterms:modified "2022-12-01T17:31:07.707Z"^^xsd:dateTime . | |
:relationship--ed113911-e21a-4b1b-a082-42313d5aa887 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3161d76a-e2b2-4b97-9906-24909b735386; | |
stix:target_ref :attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945; | |
dcterms:created "2020-05-26T19:43:49.658Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.(Citation: CheckPoint Naikon May 2020)"; | |
dcterms:modified "2020-06-03T13:40:15.300Z"^^xsd:dateTime . | |
:relationship--3f824a1b-70d5-4859-bd55-6b084f602a52 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--751b77e6-af1f-483b-93fe-eddf17f92a64; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2021-02-10T18:20:51.667Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Caterpillar WebShell](https://attack.mitre.org/software/S0572) can search for files in directories.(Citation: ClearSky Lebanese Cedar Jan 2021) "; | |
dcterms:modified "2021-02-10T18:20:51.667Z"^^xsd:dateTime . | |
:relationship--2b89f806-5b78-4599-9536-13b47c35d26d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--687c23e4-4e25-4ee7-a870-c5e002511f54; | |
stix:target_ref :attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58; | |
dcterms:created "2020-05-14T15:14:33.527Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DustySky](https://attack.mitre.org/software/S0062) lists all installed software for the infected machine.(Citation: Kaspersky MoleRATs April 2019)"; | |
dcterms:modified "2020-05-14T15:14:33.527Z"^^xsd:dateTime . | |
:relationship--24013fde-5ce7-4995-9d9f-d2ced31b9d9a | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c; | |
stix:target_ref :malware--ccd61dfc-b03f-4689-8c18-7c97eab08472; | |
dcterms:created "2017-05-31T21:33:27.040Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye APT28)(Citation: Kaspersky Sofacy)(Citation: Securelist Sofacy Feb 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)"; | |
dcterms:modified "2023-03-26T17:51:20.407Z"^^xsd:dateTime . | |
:relationship--2db515e9-4e44-4a49-917a-3108395b8590 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--066b057c-944e-4cfc-b654-e3dfba04b926; | |
stix:target_ref :attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5; | |
dcterms:created "2020-11-20T14:11:33.320Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BloodHound](https://attack.mitre.org/software/S0521) can collect password policy information on the target environment.(Citation: CrowdStrike BloodHound April 2018)"; | |
dcterms:modified "2020-11-20T14:11:33.320Z"^^xsd:dateTime . | |
:relationship--c1c2c530-a2d2-4c2f-bcff-ceda0277de59 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662; | |
stix:target_ref :attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba; | |
dcterms:created "2020-10-13T01:26:50.637Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT1](https://attack.mitre.org/groups/G0006) hijacked FQDNs associated with legitimate websites hosted by hop points.(Citation: Mandiant APT1)"; | |
dcterms:modified "2020-10-13T01:26:50.637Z"^^xsd:dateTime . | |
:relationship--b3e28a85-784f-4adb-9398-3bbdaf9275fc | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--350f12cf-fd3b-4dad-b323-14b943090df4; | |
stix:target_ref :attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade; | |
dcterms:created "2021-09-21T15:45:10.178Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Turian](https://attack.mitre.org/software/S0647) can insert pseudo-random characters into its network encryption setup.(Citation: ESET BackdoorDiplomacy Jun 2021)"; | |
dcterms:modified "2021-10-18T13:19:48.355Z"^^xsd:dateTime . | |
:campaign--8d2bc130-89fe-466e-a4f9-6bce6129c2b8 | |
rdf:type stix:Campaign; | |
rdfs:label "FunnyDream"; | |
dcterms:created "2022-09-20T17:29:09.547Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FunnyDream](https://attack.mitre.org/campaigns/C0007) was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign to possible Chinese-speaking threat actors through the use of the [Chinoxy](https://attack.mitre.org/software/S1041) backdoor and noted infrastructure overlap with the TAG-16 threat group.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: Kaspersky APT Trends Q1 2020)(Citation: Recorded Future Chinese Activity in Southeast Asia December 2021)"; | |
dcterms:modified "2022-10-10T16:19:33.560Z"^^xsd:dateTime . | |
:relationship--acfadf9a-afa5-413e-8855-a96947c5ab26 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e14085cb-0e8d-4be6-92ba-e3b93ee5978f; | |
stix:target_ref :attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff; | |
dcterms:created "2021-10-07T21:28:23.908Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[XCSSET](https://attack.mitre.org/software/S0658) uses <code>scp</code> to access the <code>~/Library/Cookies/Cookies.binarycookies</code> file.(Citation: trendmicro xcsset xcode project 2020)"; | |
dcterms:modified "2021-10-14T22:58:54.604Z"^^xsd:dateTime . | |
:relationship--2365c9aa-96df-47d8-8601-1acdf66737ba | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6; | |
dcterms:created "2022-03-30T14:26:51.853Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package.\n\nOn macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)"; | |
dcterms:modified "2022-04-16T02:27:10.160Z"^^xsd:dateTime . | |
:relationship--0882cca9-ed77-4c71-85e4-78988d79236f | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--93c23946-49af-41f4-ac03-40f9ffc7419b; | |
stix:target_ref :attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643; | |
dcterms:created "2022-10-06T21:19:39.963Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `fsutil fsinfo drives` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)"; | |
dcterms:modified "2022-10-06T21:19:39.963Z"^^xsd:dateTime . | |
:relationship--aff9bcd9-34b9-4c94-9ce0-dd4852118f91 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2020-10-21T02:14:05.535Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[CookieMiner](https://attack.mitre.org/software/S0492) has retrieved iPhone text messages from iTunes phone backup files.(Citation: Unit42 CookieMiner Jan 2019)"; | |
dcterms:modified "2020-10-21T02:14:05.535Z"^^xsd:dateTime . | |
:relationship--5c56206f-8ae3-4296-ab89-bc2036b74896 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661; | |
stix:target_ref :attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0; | |
dcterms:created "2019-03-26T13:38:24.567Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[WannaCry](https://attack.mitre.org/software/S0366) encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--d2f19ee3-8e1c-46e4-b803-e8b3fa36f62e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1; | |
stix:target_ref :attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f; | |
dcterms:created "2021-12-06T19:48:35.268Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dragonfly](https://attack.mitre.org/groups/G0035) has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.(Citation: US-CERT TA18-074A)"; | |
dcterms:modified "2021-12-06T20:45:13.824Z"^^xsd:dateTime . | |
:relationship--2e5931ef-cc28-49e8-b0c1-7705227ee5cf | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--23bff3ce-021c-4e7a-9aee-60fd40bc7c6c; | |
stix:target_ref :attack-pattern--9e80ddfb-ce32-4961-a778-ca6a10cfae72; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--12daddcc-b964-485e-8c2d-10f554d78bcc | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d; | |
stix:target_ref :attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OilRig](https://attack.mitre.org/groups/G0049) malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.(Citation: OilRig ISMAgent July 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--d4962990-8bb3-46b9-9ca3-c946fd6ce07e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--b9704a7d-feef-4af9-8898-5280f1686326; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2020-07-23T14:29:04.744Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GoldenSpy](https://attack.mitre.org/software/S0493)'s uninstaller has base64-encoded its variables. (Citation: Trustwave GoldenSpy2 June 2020)"; | |
dcterms:modified "2020-07-23T14:29:04.744Z"^^xsd:dateTime . | |
:relationship--db393f5e-8029-423c-bfbc-da48fc932cb0 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af; | |
stix:target_ref :attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e; | |
dcterms:created "2022-08-18T19:13:34.306Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[EXOTIC LILY](https://attack.mitre.org/groups/G1011) has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.(Citation: Google EXOTIC LILY March 2022)"; | |
dcterms:modified "2022-08-19T19:40:51.937Z"^^xsd:dateTime . | |
:relationship--5b69fc3c-1bf7-4092-be94-755790ccf41f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--eff1a885-6f90-42a1-901f-eef6e7a1905e; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "One version of [Helminth](https://attack.mitre.org/software/S0170) uses a PowerShell script.(Citation: Palo Alto OilRig May 2016)"; | |
dcterms:modified "2020-03-16T16:55:40.070Z"^^xsd:dateTime . | |
:relationship--ab11615f-a0d9-43c9-b71e-6ae83155bf3b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--051eaca1-958f-4091-9e5f-a9acd8f820b5; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2019-01-30T15:10:04.241Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Exaramel for Windows](https://attack.mitre.org/software/S0343) adds the configuration to the Registry in XML format.(Citation: ESET TeleBots Oct 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--3afd226c-934f-44fd-8194-9a6dee5cba59 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2017-05-31T21:33:27.065Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for [Native API](https://attack.mitre.org/techniques/T1106) function names.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)"; | |
dcterms:modified "2023-03-14T16:18:50.582Z"^^xsd:dateTime . | |
:relationship--73e382dc-5808-42b6-b796-e4ca35a198f4 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e; | |
stix:target_ref :attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979; | |
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)"; | |
dcterms:modified "2022-03-30T14:26:51.872Z"^^xsd:dateTime . | |
:relationship--8eed7d01-46dc-4b25-a42d-bd9afcb84963 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369; | |
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4; | |
dcterms:created "2019-04-19T15:30:36.746Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HOPLIGHT](https://attack.mitre.org/software/S0376) has used svchost.exe to execute a malicious DLL .(Citation: US-CERT HOPLIGHT Apr 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:attack-pattern--a0a189c8-d3bd-4991-bf6f-153d185ee373 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "LC_MAIN Hijacking"; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "**This technique has been deprecated and should no longer be used.**\n\nAs of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD (Citation: Prolific OSX Malware History). The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different (Citation: Methods of Mac Malware Persistence). By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same."; | |
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--a358f0a9-b5b9-4a84-8c83-dc0a1325d63e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c; | |
stix:target_ref :attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT28](https://attack.mitre.org/groups/G0007) exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017)(Citation: MS17-010 March 2017)"; | |
dcterms:modified "2023-03-26T17:51:20.416Z"^^xsd:dateTime . | |
:relationship--e50b6d7a-8c22-45f3-9d60-383064cc58d4 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb; | |
stix:target_ref :malware--53ab35c2-d00e-491a-8753-41d35ae7e547; | |
dcterms:created "2019-01-29T21:37:00.018Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Unit42 SilverTerrier 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--f25505f6-dbd0-4d7b-8e8c-b3885f206cbf | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4; | |
stix:target_ref :attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Koadic](https://attack.mitre.org/software/S0250) can scan local network for open SMB.(Citation: Github Koadic)"; | |
dcterms:modified "2020-03-16T16:55:04.386Z"^^xsd:dateTime . | |
:relationship--4ab6ada3-0129-4f34-ba29-b793c6d98fff | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2019-01-30T17:33:41.156Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used malware to collect the victim’s IP address and domain name.(Citation: Securelist MuddyWater Oct 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--ecd6c482-51ae-402c-8482-4feb9cda9b05 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c9b99d03-ff11-4a48-95f0-82660d582c25; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2021-07-16T19:42:59.611Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GrimAgent](https://attack.mitre.org/software/S0632) has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.(Citation: Group IB GrimAgent July 2021)"; | |
dcterms:modified "2021-07-16T19:42:59.611Z"^^xsd:dateTime . | |
:relationship--9505cb0b-a9b6-4680-94ed-ae74916444f0 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--808d6b30-df4e-4341-8248-724da4bac650; | |
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c; | |
dcterms:created "2023-03-26T16:38:22.644Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) routinely removed their tools, including custom backdoors, once remote access was achieved.(Citation: FireEye SUNBURST Backdoor December 2020)"; | |
dcterms:modified "2023-03-26T16:38:22.644Z"^^xsd:dateTime . | |
:relationship--5181727e-706d-4e57-8a41-628a27e03c6c | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27; | |
stix:target_ref :attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5; | |
dcterms:created "2019-09-03T18:32:49.397Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[esentutl](https://attack.mitre.org/software/S0404) can be used to read and write alternate data streams.(Citation: LOLBAS Esentutl)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--c8a0012e-9b2c-4fef-8aeb-7bc77d1b16c3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--11194d8b-fdce-45d2-8047-df15bb8f16bd; | |
stix:target_ref :attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9; | |
dcterms:created "2021-04-01T16:05:11.061Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Exaramel for Linux](https://attack.mitre.org/software/S0401) can execute commands with high privileges via a specific binary with setuid functionality.(Citation: ANSSI Sandworm January 2021)"; | |
dcterms:modified "2021-04-13T00:50:31.596Z"^^xsd:dateTime . | |
:course-of-action--d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Video Capture Mitigation"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to capture video and images by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)"; | |
dcterms:modified "2021-08-23T20:25:20.925Z"^^xsd:dateTime . | |
:relationship--52e9ca8d-a778-46d1-9521-743a8e47c503 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--72911fe3-f085-40f7-b4f2-f25a4221fe44; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2021-11-16T15:32:34.252Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FoggyWeb](https://attack.mitre.org/software/S0661) can retrieve configuration data from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)"; | |
dcterms:modified "2022-04-15T17:05:10.474Z"^^xsd:dateTime . | |
:relationship--7b458295-8e67-4f1f-acde-3316ae2e061e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--32066e94-3112-48ca-b9eb-ba2b59d2f023; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2019-03-26T17:48:52.143Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Emotet](https://attack.mitre.org/software/S0367) has used Powershell to retrieve the malicious payload and download additional resources like [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: Symantec Emotet Jul 2018)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Red Canary Emotet Feb 2019)(Citation: Carbon Black Emotet Apr 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--10c6cc56-a028-4c2a-b24e-38d97fb4ebb7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e; | |
stix:target_ref :attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[NetTraveler](https://attack.mitre.org/software/S0033) reports window names along with keylogger information to provide application context.(Citation: Kaspersky NetTraveler)"; | |
dcterms:modified "2020-03-16T17:20:39.755Z"^^xsd:dateTime . | |
:relationship--b28f8635-6a79-4be1-b05a-b4356a04e7c2 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2995bc22-2851-4345-ad19-4e7e295be264; | |
stix:target_ref :attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9; | |
dcterms:created "2019-06-25T14:33:33.684Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Block unknown devices and accessories by endpoint security configuration and monitoring agent."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:intrusion-set--4283ae19-69c7-4347-a35e-b56f08eb660b | |
rdf:type stix:IntrusionSet; | |
rdfs:label "ZIRCONIUM"; | |
dcterms:created "2021-03-24T15:48:17.731Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)"; | |
dcterms:modified "2023-03-22T22:10:43.732Z"^^xsd:dateTime . | |
:relationship--690d1b72-9fb0-426a-9db4-075abf045688 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2; | |
stix:target_ref :attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939; | |
dcterms:created "2023-03-26T19:37:12.922Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pillowmint](https://attack.mitre.org/software/S0517) has stored a compressed payload in the Registry key <code>HKLM\\SOFTWARE\\Microsoft\\DRM</code>.(Citation: Trustwave Pillowmint June 2020)"; | |
dcterms:modified "2023-03-26T19:37:58.169Z"^^xsd:dateTime . | |
:relationship--7696d163-7556-47e2-9ade-25924311fba6 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2022-08-07T15:36:18.985Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AuTo Stealer](https://attack.mitre.org/software/S1029) can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)"; | |
dcterms:modified "2022-08-24T16:52:51.000Z"^^xsd:dateTime . | |
:relationship--00e99176-c74e-4f49-a498-c66a71612a5b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616; | |
stix:target_ref :attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082; | |
dcterms:created "2021-04-07T13:57:06.538Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use self signed Java applets to execute signed applet attacks.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)"; | |
dcterms:modified "2022-11-30T22:37:12.371Z"^^xsd:dateTime . | |
:attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "System Firmware"; | |
dcterms:created "2019-12-19T19:43:34.507Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect."; | |
dcterms:modified "2023-03-30T21:01:49.493Z"^^xsd:dateTime . | |
:attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "External Defacement"; | |
dcterms:created "2020-02-20T14:34:08.496Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--f60b8223-eea6-422e-99c6-7f9b70e8ea53 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573; | |
stix:target_ref :attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619; | |
dcterms:created "2020-05-11T22:12:28.689Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MESSAGETAP](https://attack.mitre.org/software/S0443) checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.(Citation: FireEye MESSAGETAP October 2019)"; | |
dcterms:modified "2020-06-24T01:43:11.357Z"^^xsd:dateTime . | |
:relationship--9af6241d-355a-4673-b772-8384a718ed64 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2019-04-26T20:07:36.100Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ebury](https://attack.mitre.org/software/S0377) has obfuscated its strings with a simple XOR encryption with a static key.(Citation: ESET Ebury Feb 2014)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--16e0be5b-93bb-4db2-b6ed-02e34a6ce3cb | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3; | |
stix:target_ref :attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377; | |
dcterms:created "2019-03-13T14:38:31.345Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Empire](https://attack.mitre.org/software/S0363) has the ability to obfuscate commands using <code>Invoke-Obfuscation</code>.(Citation: Github PowerShell Empire)"; | |
dcterms:modified "2023-03-22T03:43:28.823Z"^^xsd:dateTime . | |
:relationship--1c7e778c-4193-44e5-85b4-ba7e7668455f | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--93a6e38c-02a5-44d8-9035-b2e08459f31f; | |
stix:target_ref :attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf; | |
dcterms:created "2022-03-30T14:26:51.842Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a7ec0d1d-462b-4909-acee-f2aa1f9199b1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--04378e79-4387-468a-a8f7-f974b8254e44; | |
stix:target_ref :attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65; | |
dcterms:created "2022-09-02T20:10:18.795Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description " [Bumblebee](https://attack.mitre.org/software/S1039) can use `LoadLibrary` to attempt to execute GdiPlus.dll.(Citation: Medium Ali Salem Bumblebee April 2022)"; | |
dcterms:modified "2022-09-02T20:10:18.795Z"^^xsd:dateTime . | |
:relationship--a291d185-31c8-4458-a3fc-9af617af28d9 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1; | |
stix:target_ref :attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24; | |
dcterms:created "2021-12-06T19:48:35.203Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dragonfly](https://attack.mitre.org/groups/G0035) has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.(Citation: US-CERT TA18-074A)(Citation: Core Security Impacket)"; | |
dcterms:modified "2023-02-06T22:09:34.693Z"^^xsd:dateTime . | |
:relationship--431ec495-5f92-40e9-9955-58ca334ea3c8 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d; | |
stix:target_ref :tool--0a68f1f1-da74-4d28-8d9a-696c082706cc; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye APT34 Dec 2017)"; | |
dcterms:modified "2020-03-18T20:18:02.878Z"^^xsd:dateTime . | |
:relationship--0559aa0e-31c2-478b-afce-00d0939066c3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca; | |
stix:target_ref :attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253; | |
dcterms:created "2022-08-18T19:19:20.765Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has created system services to execute cryptocurrency mining software.(Citation: Cisco Talos Intelligence Group)"; | |
dcterms:modified "2022-12-01T17:31:07.698Z"^^xsd:dateTime . | |
:attack-pattern--613d08bc-e8f4-4791-80b0-c8b974340dfd | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Exfiltration Over Bluetooth"; | |
dcterms:created "2020-03-09T17:07:57.392Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.\n\nAdversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network."; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--ab3fe31a-051e-4db5-bcf0-20a93b4bae9b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce; | |
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) has a command to list account information on the victim’s machine.(Citation: ESET InvisiMole June 2018)"; | |
dcterms:modified "2020-03-18T20:01:05.712Z"^^xsd:dateTime . | |
:relationship--7b510a6f-3e11-49b3-bf97-a1ca24bca663 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8393dac0-0583-456a-9372-fd81691bca20; | |
stix:target_ref :attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b; | |
dcterms:created "2020-08-24T14:27:37.560Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "The [PipeMon](https://attack.mitre.org/software/S0501) communication module can use a custom protocol based on TLS over TCP.(Citation: ESET PipeMon May 2020)"; | |
dcterms:modified "2020-08-24T14:27:37.560Z"^^xsd:dateTime . | |
:relationship--8f925090-4063-429f-a0a4-ccaf4825ef78 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--63220765-d418-44de-8fae-694b3912317d; | |
dcterms:created "2022-03-30T14:26:51.873Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by an interrupt signal."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--dcafed44-9d31-4d75-915f-660f5fd62fed | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07; | |
stix:target_ref :malware--fa766a65-5136-4ff3-8429-36d08eaa0100; | |
dcterms:created "2021-03-05T18:09:35.145Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)"; | |
dcterms:modified "2021-10-01T20:31:32.461Z"^^xsd:dateTime . | |
:relationship--a3a7d091-49bb-4fd1-9442-d02e83a48ea1 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2; | |
stix:target_ref :attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91; | |
dcterms:created "2019-06-05T13:50:11.204Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.(Citation: Talos MuddyWater May 2019) "; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--927e8d82-d094-4170-bc76-10717ffd8d7f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e8545794-b98c-492b-a5b3-4b5a02682e37; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[POWERSTATS](https://attack.mitre.org/software/S0223) can retrieve IP, network adapter configuration information, and domain from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)"; | |
dcterms:modified "2020-05-18T19:37:52.427Z"^^xsd:dateTime . | |
:relationship--2315fa7f-2161-45c1-9f23-d47a96488465 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--fb78294a-7d7a-4d38-8ad0-92e67fddc9f0; | |
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41; | |
dcterms:created "2022-08-15T17:07:19.295Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[StrifeWater](https://attack.mitre.org/software/S1034) can encrypt C2 traffic using XOR with a hard coded key.(Citation: Cybereason StrifeWater Feb 2022)"; | |
dcterms:modified "2022-10-11T18:43:42.498Z"^^xsd:dateTime . | |
:relationship--8df1a464-9623-46bf-b23b-0430aa0a8c44 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24; | |
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41; | |
dcterms:created "2019-01-29T14:51:06.828Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[gh0st RAT](https://attack.mitre.org/software/S0032) uses RC4 and XOR to encrypt C2 traffic.(Citation: Nccgroup Gh0st April 2018)"; | |
dcterms:modified "2021-03-29T19:49:11.282Z"^^xsd:dateTime . | |
:relationship--aa4038e3-451f-4ad7-acc7-5c971825967b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2020-05-13T19:39:41.704Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Molerats](https://attack.mitre.org/groups/G0021) saved malicious files within the AppData and Startup folders to maintain persistence.(Citation: Kaspersky MoleRATs April 2019)"; | |
dcterms:modified "2020-05-14T14:30:09.500Z"^^xsd:dateTime . | |
:relationship--c128b821-b39b-481a-91a1-a2bad7d6dda2 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51; | |
stix:target_ref :attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c; | |
dcterms:created "2019-04-23T15:49:35.541Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ebury](https://attack.mitre.org/software/S0377) has encoded C2 traffic in hexadecimal format.(Citation: ESET Ebury Feb 2014)\t"; | |
dcterms:modified "2020-03-20T18:11:07.913Z"^^xsd:dateTime . | |
:relationship--651fab10-d53c-47ca-bd1d-a40b47d0af41 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871; | |
stix:target_ref :attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d; | |
dcterms:created "2020-11-17T21:06:05.077Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Operation Wocao](https://attack.mitre.org/groups/G0116) has executed commands through the installed web shell via Tor exit nodes.(Citation: FoxIT Wocao December 2019)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--33390e6e-f262-48fb-a74a-084c310b3aa2 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13; | |
stix:target_ref :attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9; | |
dcterms:created "2022-05-25T18:56:20.248Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Magic Hound](https://attack.mitre.org/groups/G0059) has used scheduled tasks to establish persistence and execution.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)"; | |
dcterms:modified "2023-01-09T19:49:22.026Z"^^xsd:dateTime . | |
:relationship--2c93a27a-c6f0-46b9-857b-b746e2204670 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--72911fe3-f085-40f7-b4f2-f25a4221fe44; | |
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d; | |
dcterms:created "2021-11-16T15:32:34.263Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FoggyWeb](https://attack.mitre.org/software/S0661) can remotely exfiltrate sensitive information from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)"; | |
dcterms:modified "2022-04-15T20:01:10.774Z"^^xsd:dateTime . | |
:relationship--519c4c7f-8495-4b8a-b58e-551a78e469cc | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6; | |
stix:target_ref :attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896; | |
dcterms:created "2017-05-31T21:33:27.045Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover information in the Windows Registry with the <code>reg query</code> command.(Citation: Kaspersky Turla) [Turla](https://attack.mitre.org/groups/G0010) has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .(Citation: ESET Turla PowerShell May 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:malware--7724581b-06ff-4d2b-b77c-80dc8d53070b | |
rdf:type stix:Malware; | |
rdfs:label "Saint Bot"; | |
dcterms:created "2022-06-09T18:50:58.722Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )"; | |
dcterms:modified "2022-06-09T19:56:56.809Z"^^xsd:dateTime . | |
:relationship--289e01df-60e6-4eee-830e-9d742ac10c86 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2017-05-31T21:33:27.064Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Threat Group-1314](https://attack.mitre.org/groups/G0028) actors spawned shells on remote systems on a victim network to execute commands.(Citation: Dell TG-1314)"; | |
dcterms:modified "2020-03-19T21:58:20.958Z"^^xsd:dateTime . | |
:relationship--52b6181e-881e-4b96-93a3-1292bc2f1352 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--9378f139-10ef-4e4b-b679-2255a0818902; | |
stix:target_ref :attack-pattern--39a130e1-6ab7-434a-8bd2-418e7d9d6427; | |
dcterms:created "2017-05-31T21:33:27.023Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c7c2e904-7797-4d67-a0bf-dae4abf53689 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5864e59f-eb4c-43ad-83b2-b5e4fae056c9; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2021-09-09T13:53:16.364Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ObliqueRAT](https://attack.mitre.org/software/S0644) can check for blocklisted usernames on infected endpoints.(Citation: Talos Oblique RAT March 2021)"; | |
dcterms:modified "2021-10-15T14:43:12.266Z"^^xsd:dateTime . | |
:course-of-action--23bff3ce-021c-4e7a-9aee-60fd40bc7c6c | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Sudo Mitigation"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file."; | |
dcterms:modified "2019-07-25T12:03:12.876Z"^^xsd:dateTime . | |
:relationship--24d5ba1b-dbce-4c25-8180-1ee40b8c827f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2020-05-14T21:40:31.265Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sharpshooter](https://attack.mitre.org/groups/G0104) has sent malicious DOC and PDF files to targets so that they can be opened by a user.(Citation: McAfee Sharpshooter December 2018)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--87cf80be-bae1-4a12-a754-38cad36724ac | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--23843cff-f7b9-4659-a7b7-713ef347f547; | |
stix:target_ref :attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414; | |
dcterms:created "2023-07-10T15:23:12.206Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Restrict the use of third-party software suites installed within an enterprise network. "; | |
dcterms:modified "2023-07-10T15:23:12.206Z"^^xsd:dateTime . | |
:relationship--d3e06c85-ec0b-4e6d-b1f0-f65ff9bc5e3a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f36b2598-515f-4345-84e5-5ccde253edbe; | |
stix:target_ref :attack-pattern--84601337-6a55-4ad7-9c35-79e0d1ea2ab3; | |
dcterms:created "2021-10-06T02:04:09.765Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dok](https://attack.mitre.org/software/S0281) uses AppleScript to install a login Item by sending Apple events to the <code>System Events</code> process.(Citation: hexed osx.dok analysis 2019)"; | |
dcterms:modified "2021-10-06T02:04:09.765Z"^^xsd:dateTime . | |
:relationship--52ed39dd-0f4c-4e30-8b3b-7eb75b5c87e3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2022-01-18T18:15:50.985Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Aquatic Panda](https://attack.mitre.org/groups/G0143) has downloaded additional malware onto compromised hosts.(Citation: CrowdStrike AQUATIC PANDA December 2021)"; | |
dcterms:modified "2022-04-10T18:32:55.533Z"^^xsd:dateTime . | |
:relationship--f8b6eae9-cf2b-4b16-8c44-03d989533dd6 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46; | |
stix:target_ref :attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945; | |
dcterms:created "2020-02-21T18:52:23.547Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. "; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--78ca7fcf-95b9-485c-a87b-2ac083312885 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a; | |
stix:target_ref :attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac; | |
dcterms:created "2019-04-12T16:59:08.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.(Citation: Novetta Blockbuster Destructive Malware)"; | |
dcterms:modified "2022-07-28T18:55:36.008Z"^^xsd:dateTime . | |
:relationship--529360d5-172a-4326-b993-e3af75d3e7af | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90; | |
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67; | |
dcterms:created "2020-03-17T18:23:51.085Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used VBS and VBE scripts for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)"; | |
dcterms:modified "2020-06-24T01:27:32.169Z"^^xsd:dateTime . | |
:relationship--eda23a3d-a1d0-4e98-85fc-5ac083f53f5c | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44; | |
stix:target_ref :attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53; | |
dcterms:created "2020-01-13T16:33:20.771Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--e4fa961c-e72b-47b3-b0fb-8051f9ca4d63 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--df350889-4de9-44e5-8cb3-888b8343e97c; | |
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41; | |
dcterms:created "2023-02-08T00:26:56.918Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[metaMain](https://attack.mitre.org/software/S1059) can encrypt the data that it sends and receives from the C2 server using an RC4 encryption algorithm.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)"; | |
dcterms:modified "2023-04-05T15:01:59.556Z"^^xsd:dateTime . | |
:relationship--03256e99-70fb-4d2d-ac8e-79294aef87dc | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--b9a1578e-8653-4103-be23-cb52e0b1816e; | |
stix:target_ref :attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5; | |
dcterms:created "2022-03-30T14:26:51.854Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for contextual data about named pipes on the system."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--7ec9fb4c-0adb-477e-b8ef-3a7973d40e99 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2020-11-18T17:17:06.515Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Operation Wocao](https://attack.mitre.org/groups/G0116) has enabled Wdigest by changing the registry value from 0 to 1.(Citation: FoxIT Wocao December 2019)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--43c68bb8-28e2-4ee0-91aa-ffc16dcc45bc | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--6c575670-d14c-4c7f-9b9d-fd1b363e255d; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2023-01-03T21:06:00.496Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[KEYPLUG](https://attack.mitre.org/software/S1051) can decode its configuration file to determine C2 protocols.(Citation: Mandiant APT41)"; | |
dcterms:modified "2023-01-03T21:06:00.496Z"^^xsd:dateTime . | |
:relationship--37b7ba1e-5093-4a0d-920b-c86d3c9c766b | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc; | |
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4; | |
dcterms:created "2019-04-23T15:06:52.791Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) contains an implementation of [PsExec](https://attack.mitre.org/software/S0029) for remote execution.(Citation: GitHub PoshC2)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--fcd3bc09-f88b-43d7-989d-10f7058e655e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83; | |
stix:target_ref :attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc; | |
dcterms:created "2020-05-06T21:31:07.327Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Okrum](https://attack.mitre.org/software/S0439) mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.(Citation: ESET Okrum July 2019)"; | |
dcterms:modified "2020-05-06T21:31:07.327Z"^^xsd:dateTime . | |
:relationship--7ee6890f-748e-419e-a442-7dd44e29958a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Comnie](https://attack.mitre.org/software/S0244) uses HTTP for C2 communication.(Citation: Palo Alto Comnie)"; | |
dcterms:modified "2020-03-17T00:43:32.094Z"^^xsd:dateTime . | |
:relationship--49d40f3b-33b4-424c-a645-82d2a84e5c28 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--987988f0-cf86-4680-a875-2f6456ab2448; | |
stix:target_ref :attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591; | |
dcterms:created "2020-02-21T22:16:10.099Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Restrict the permissions on sensitive files such as <code>/proc/[pid]/maps</code> or <code>/proc/[pid]/mem</code>. "; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--7ae9b8ce-5675-4a39-822c-b603f7ad816b | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c; | |
stix:target_ref :attack-pattern--f0589bc3-a6ae-425a-a3d5-5659bfee07f4; | |
dcterms:created "2022-03-30T14:26:51.853Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor newly constructed files that may modify or add LSASS drivers to obtain persistence on compromised systems."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--026a63ae-dd3d-4ea6-8a32-c40c9b37b893 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4ab44516-ad75-4e43-a280-705dc0420e2f; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ZeroT](https://attack.mitre.org/software/S0230) shellcode decrypts and decompresses its RC4-encrypted payload.(Citation: Proofpoint ZeroT Feb 2017)"; | |
dcterms:modified "2020-03-17T02:54:39.798Z"^^xsd:dateTime . | |
:relationship--38be247c-74b0-42f3-964e-5f23ef42a353 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2019-07-22T15:35:24.351Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GALLIUM](https://attack.mitre.org/groups/G0093) collected data from the victim's local system, including password hashes from the SAM hive in the Registry.(Citation: Cybereason Soft Cell June 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:x-mitre-data-component--d6257b8e-869c-41c0-8731-fdca40858a91 | |
rdf:type :MitreDataComponent; | |
rdfs:label "User Account Deletion"; | |
dcterms:created "2021-10-20T15:05:19.271Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--328e9746-4bb6-47e1-8e71-6418ca04c5fa | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee; | |
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32; | |
dcterms:created "2020-05-27T15:31:09.539Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has made their XMRIG payloads persistent as a Windows Service.(Citation: RedCanary Mockingbird May 2020)"; | |
dcterms:modified "2020-06-25T13:59:09.943Z"^^xsd:dateTime . | |
:relationship--ac72c3da-6b58-4f66-8476-8d3cc9ccf6bd | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3; | |
stix:target_ref :attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mivast](https://attack.mitre.org/software/S0080) has the capability to gather NTLM password information.(Citation: Symantec Backdoor.Mivast)"; | |
dcterms:modified "2020-03-25T16:03:27.015Z"^^xsd:dateTime . | |
:relationship--e6b509c8-0e00-48ac-b76d-f42d18a0ae51 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6; | |
stix:target_ref :attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0; | |
dcterms:created "2021-05-26T12:38:01.263Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT19](https://attack.mitre.org/groups/G0073) has obtained and used publicly-available tools like [Empire](https://attack.mitre.org/software/S0363).(Citation: NCSC Joint Report Public Tools)(Citation: FireEye APT19)"; | |
dcterms:modified "2021-05-26T12:38:01.263Z"^^xsd:dateTime . | |
:relationship--40ed9be1-9c97-46fc-a967-9468888576a8 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f; | |
stix:target_ref :malware--e1161124-f22e-487f-9d5f-ed8efc8dcd61; | |
dcterms:created "2022-09-29T20:25:16.869Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Cylance Dust Storm)"; | |
dcterms:modified "2022-09-29T20:25:16.869Z"^^xsd:dateTime . | |
:relationship--c8f99c96-d4f7-49dc-9ee9-0bcae28ab045 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--425771c5-48b4-4ecd-9f95-74ed3fc9da59; | |
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa; | |
dcterms:created "2021-10-15T13:47:16.400Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SombRAT](https://attack.mitre.org/software/S0615) can enumerate services on a victim machine.(Citation: BlackBerry CostaRicto November 2020)"; | |
dcterms:modified "2021-10-15T13:47:16.400Z"^^xsd:dateTime . | |
:relationship--dddaffe1-4d47-4ffd-93e4-3827dc9abb50 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51; | |
stix:target_ref :attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082; | |
dcterms:created "2019-04-23T15:49:35.554Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ebury](https://attack.mitre.org/software/S0377) has installed a self-signed RPM package mimicking the original system package on RPM based systems.(Citation: ESET Ebury Feb 2014)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--48cff69b-577c-4837-b894-95b19f255134 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--4c840263-bbda-440d-a22b-674679ddebf1; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2022-09-16T15:56:47.769Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Operation Spalax](https://attack.mitre.org/campaigns/C0005), the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware.(Citation: ESET Operation Spalax Jan 2021) "; | |
dcterms:modified "2022-09-16T15:56:47.769Z"^^xsd:dateTime . | |
:relationship--a868dec8-2bfc-449e-b720-d4e6c7e37d13 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c; | |
stix:target_ref :attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6; | |
dcterms:created "2022-03-30T14:26:51.870Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s))."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--d2a8729f-6271-46a0-8a40-a8567c9e5092 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74; | |
stix:target_ref :tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Symantec Leafminer July 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--c5e3e18d-124e-4ae2-a95c-9db8f6d53000 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d; | |
stix:target_ref :attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47; | |
dcterms:created "2020-07-15T19:02:25.131Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[IcedID](https://attack.mitre.org/software/S0483) has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. [IcedID](https://attack.mitre.org/software/S0483) can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)"; | |
dcterms:modified "2020-08-14T14:25:54.036Z"^^xsd:dateTime . | |
:relationship--37da9e7e-f366-4211-84bd-34fd9c43d681 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce; | |
stix:target_ref :attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605; | |
dcterms:created "2020-08-17T14:37:43.670Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) can inject its code into a trusted process via the APC queue.(Citation: ESET InvisiMole June 2020)"; | |
dcterms:modified "2020-08-17T14:37:43.670Z"^^xsd:dateTime . | |
:relationship--1c935a6d-dd69-4be3-bfed-56c01d0f9413 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--04378e79-4387-468a-a8f7-f974b8254e44; | |
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055; | |
dcterms:created "2022-08-19T20:53:00.366Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bumblebee](https://attack.mitre.org/software/S1039) can use WMI to gather system information and to spawn processes for code injection.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)"; | |
dcterms:modified "2022-10-12T21:50:55.250Z"^^xsd:dateTime . | |
:relationship--f8127cf5-e2b6-41a3-b18f-ba250e2c01f9 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d; | |
dcterms:created "2022-03-30T14:26:51.853Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system. "; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--699979b0-6a9a-4482-9656-82c8fb210676 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--2f8229dc-da94-41c6-89ba-b5b6c32f6b7d; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2021-08-03T14:06:06.942Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[EnvyScout](https://attack.mitre.org/software/S0634) can Base64 encode payloads.(Citation: MSTIC Nobelium Toolset May 2021)"; | |
dcterms:modified "2021-08-04T13:54:53.439Z"^^xsd:dateTime . | |
:relationship--6eb97f82-c49f-465d-b788-15a789f928b5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3be1fb7a-0f7e-415e-8e3a-74a80d596e68; | |
stix:target_ref :attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2; | |
dcterms:created "2023-04-04T22:02:38.620Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mafalda](https://attack.mitre.org/software/S1060) can conduct mouse event logging.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)"; | |
dcterms:modified "2023-04-04T22:02:38.620Z"^^xsd:dateTime . | |
:relationship--35aac341-5371-42e8-ad93-3ab94a11b51a | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446; | |
stix:target_ref :attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22; | |
dcterms:created "2017-05-31T21:33:27.070Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Poseidon Group](https://attack.mitre.org/groups/G0033) conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.(Citation: Kaspersky Poseidon Group)"; | |
dcterms:modified "2020-03-18T15:34:54.805Z"^^xsd:dateTime . | |
:relationship--c298538c-bab6-4982-9b83-17f752358932 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27; | |
stix:target_ref :attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0; | |
dcterms:created "2021-10-12T21:57:25.960Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gorgon Group](https://attack.mitre.org/groups/G0078) has obtained and used tools such as [QuasarRAT](https://attack.mitre.org/software/S0262) and [Remcos](https://attack.mitre.org/software/S0332).(Citation: Unit 42 Gorgon Group Aug 2018)"; | |
dcterms:modified "2021-10-12T21:57:25.960Z"^^xsd:dateTime . | |
:relationship--d08b9cb8-0f97-4933-b0de-40e4626dd13e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ecc2f65a-b452-4eaf-9689-7e181f17f7a5; | |
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67; | |
dcterms:created "2019-04-17T19:18:00.433Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Remexi](https://attack.mitre.org/software/S0375) uses AutoIt and VBS scripts throughout its execution process.(Citation: Securelist Remexi Jan 2019)"; | |
dcterms:modified "2020-03-17T19:24:27.802Z"^^xsd:dateTime . | |
:relationship--64c83ccd-f074-4ff2-80c9-05d03f8fc9d3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7; | |
stix:target_ref :attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5; | |
dcterms:created "2022-06-10T16:43:53.015Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LAPSUS$](https://attack.mitre.org/groups/G1004) has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing [LAPSUS$](https://attack.mitre.org/groups/G1004) to take control of an authenticated system.(Citation: MSTIC DEV-0537 Mar 2022)"; | |
dcterms:modified "2022-10-12T13:03:14.255Z"^^xsd:dateTime . | |
:relationship--f8c320cc-97f5-4b3a-8847-92c42b6a48b7 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6; | |
stix:target_ref :attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba; | |
dcterms:created "2020-02-11T18:27:15.862Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--2fdc9078-0737-4b2c-bb6c-f046b63c368b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--99fdf3b4-96ef-4ab9-b191-fc683441cad0; | |
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384; | |
dcterms:created "2020-11-19T17:01:57.288Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bazar](https://attack.mitre.org/software/S0534) can identify the installed antivirus engine.(Citation: Cybereason Bazar July 2020)"; | |
dcterms:modified "2020-11-19T17:01:57.288Z"^^xsd:dateTime . | |
:relationship--09505cc8-8e0f-4283-9329-df2bea12867c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--29231689-5837-4a7a-aafc-1b65b3f50cc7; | |
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670; | |
dcterms:created "2021-07-02T14:39:07.851Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "The file collection tool used by [RainyDay](https://attack.mitre.org/software/S0629) can utilize native API including <code>ReadDirectoryChangeW</code> for folder monitoring.(Citation: Bitdefender Naikon April 2021)"; | |
dcterms:modified "2021-07-02T14:40:30.230Z"^^xsd:dateTime . | |
:relationship--b09075c8-6a45-4fd1-bdaf-c48a193bdd23 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd; | |
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a; | |
dcterms:created "2022-03-30T14:26:51.834Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. "; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:x-mitre-data-component--b5b0e8ae-7436-4951-950a-7b83c4dd3f2c | |
rdf:type :MitreDataComponent; | |
rdfs:label "Instance Creation"; | |
dcterms:created "2021-10-20T15:05:19.274Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--52eba50c-4ebb-4e61-8065-4f6483f55321 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c; | |
stix:target_ref :attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd; | |
dcterms:created "2022-03-30T14:26:51.869Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for creation of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. This behavior also considers files that are overwritten."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3b947696-f88a-4e6b-b408-b9f91c3cecdf | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7e100ca4-e639-48d9-9a9d-8ad84aa7b448; | |
stix:target_ref :attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab; | |
dcterms:created "2022-09-30T15:34:41.298Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mori](https://attack.mitre.org/software/S1047) can use `regsvr32.exe` for DLL execution.(Citation: DHS CISA AA22-055A MuddyWater February 2022)"; | |
dcterms:modified "2022-10-12T18:43:03.146Z"^^xsd:dateTime . | |
:relationship--514a384a-2b09-4b4f-9def-8e4007b49734 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--174279b4-399f-4ddb-966e-5efedd1dd5f2; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2023-07-31T18:18:33.737Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Volt Typhoon](https://attack.mitre.org/groups/G1017) has discovered file system types, drive names, size, and free space on compromised systems.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)"; | |
dcterms:modified "2023-09-08T17:13:44.825Z"^^xsd:dateTime . | |
:relationship--e57ffe68-7c4c-42dc-9192-78040606ec58 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--dcac85c1-6485-4790-84f6-de5e6f6b91dd; | |
stix:target_ref :attack-pattern--7fd87010-3a00-4da3-b905-410525e8ec44; | |
dcterms:created "2019-06-21T17:23:28.017Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PowerStallion](https://attack.mitre.org/software/S0393) uses [PowerShell](https://attack.mitre.org/techniques/T1086) loops to iteratively check for available commands in its OneDrive C2 server."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3 | |
rdf:type stix:IntrusionSet; | |
rdfs:label "HEXANE"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)"; | |
dcterms:modified "2023-03-22T04:43:59.082Z"^^xsd:dateTime . | |
:relationship--03f288cd-a189-4de9-abd4-6b10bda138a4 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--327b3a25-9e60-4431-b3b6-93b9c64eacbc; | |
stix:target_ref :attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b; | |
dcterms:created "2022-03-09T21:09:11.109Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Tomiris](https://attack.mitre.org/software/S0671) has connected to a signalization server that provides a URL and port, and then [Tomiris](https://attack.mitre.org/software/S0671) sends a GET request to that URL to establish C2.(Citation: Kaspersky Tomiris Sep 2021)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--9e0a19f8-e970-49a1-9952-ae7380247ace | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--23843cff-f7b9-4659-a7b7-713ef347f547; | |
stix:target_ref :attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1; | |
dcterms:created "2020-03-09T14:38:24.604Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Prevent users from installing Python where not required."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--6988bc63-8020-44c2-9e38-03370f97e96a | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa; | |
stix:target_ref :attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747; | |
dcterms:created "2022-03-30T14:26:51.852Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.(Citation: Trend Micro When Phishing Starts from the Inside 2017)"; | |
dcterms:modified "2022-04-20T14:27:01.264Z"^^xsd:dateTime . | |
:relationship--618d4835-6022-46df-bee1-38fcb97ffb91 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cb444a16-3ea5-4a91-88c6-f329adcb8af3; | |
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384; | |
dcterms:created "2019-06-17T18:49:30.445Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[YAHOYAH](https://attack.mitre.org/software/S0388) checks for antimalware solution processes on the system.(Citation: TrendMicro TropicTrooper 2015)"; | |
dcterms:modified "2023-03-23T15:24:22.263Z"^^xsd:dateTime . | |
:relationship--93b62fc4-f024-4482-9ea1-041bc3d29bfd | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad; | |
stix:target_ref :attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36; | |
dcterms:created "2020-06-11T19:52:07.230Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Rocke](https://attack.mitre.org/groups/G0106) has cleared log files within the /var/log/ folder.(Citation: Anomali Rocke March 2019)"; | |
dcterms:modified "2020-06-11T19:52:07.230Z"^^xsd:dateTime . | |
:relationship--ddbbd283-6874-4348-82c7-98df6d59ac41 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4a98e44a-bd52-461e-af1e-a4457de87a36; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FruitFly](https://attack.mitre.org/software/S0277) looks for specific files and file types.(Citation: objsee mac malware 2017)"; | |
dcterms:modified "2020-01-17T19:43:39.447Z"^^xsd:dateTime . | |
:attack-pattern--04ef4356-8926-45e2-9441-634b6f3dcecb | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "LC_LOAD_DYLIB Addition"; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies (Citation: Writing Bad Malware for OSX). There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time (Citation: Malware Persistence on OS X)."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--17e5edb8-fcdf-4581-a428-5a3a75fc675a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e2031fd5-02c2-43d4-85e2-b64f474530c2; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2021-10-13T23:51:59.970Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Octopus](https://attack.mitre.org/software/S0340) can exfiltrate files from the system using a documents collector tool.(Citation: ESET Nomadic Octopus 2018)"; | |
dcterms:modified "2021-10-14T14:09:00.920Z"^^xsd:dateTime . | |
:relationship--a8fd0806-56eb-4438-bcce-18f7851a07c6 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--c89fa3ff-4773-4daf-8aec-d8f43f10116e; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2023-07-25T20:23:35.966Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [C0026](https://attack.mitre.org/campaigns/C0026), the threat actors downloaded malicious payloads onto select compromised hosts.(Citation: Mandiant Suspected Turla Campaign February 2023)"; | |
dcterms:modified "2023-07-25T20:23:35.967Z"^^xsd:dateTime . | |
:relationship--f02fafab-e905-48a4-953d-6238f740cc77 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--1fefb062-feda-484a-8f10-0cebf65e20e3; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2023-10-04T18:06:27.622Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SharpDisco](https://attack.mitre.org/software/S1089) has been used to download a Python interpreter to `C:\\Users\\Public\\WinTN\\WinTN.exe` as well as other plugins from external sources.(Citation: MoustachedBouncer ESET August 2023)"; | |
dcterms:modified "2023-10-04T18:07:34.751Z"^^xsd:dateTime . | |
:relationship--23d16034-a2eb-40ef-857b-63708e63bf9a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Orz](https://attack.mitre.org/software/S0229) can gather the victim OS version and whether it is 64 or 32 bit.(Citation: Proofpoint Leviathan Oct 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--9ee064f9-05bc-4b9e-ad95-d1ae4f1c048a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a5528622-3a8a-4633-86ce-8cdaf8423858; | |
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FinFisher](https://attack.mitre.org/software/S0182) creates a new Windows service with the malicious executable for persistence.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--d53305c1-45c5-4a3c-9c9d-c5d324161402 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170; | |
stix:target_ref :attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b; | |
dcterms:created "2022-03-30T14:26:51.832Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Symmetric Cryptography"; | |
dcterms:created "2020-03-16T15:45:17.032Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4."; | |
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--e525352e-0d7e-41e4-bb35-9c50f9ef39c6 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--70e52b04-2a0c-4cea-9d18-7149f1df9dc5; | |
stix:target_ref :attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db; | |
dcterms:created "2020-01-24T14:32:40.533Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--101c3a64-9ba5-46c9-b573-5c501053cbca | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Elevated Execution with Prompt"; | |
dcterms:created "2019-08-08T14:29:37.108Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--e94dc1ba-678b-4c09-9c29-515a5d277ec4 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--532c6004-b1e8-415b-9516-f7c14ba783b1; | |
stix:target_ref :attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f; | |
dcterms:created "2021-09-28T17:59:40.603Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MarkiRAT](https://attack.mitre.org/software/S0652) can capture clipboard content.(Citation: Kaspersky Ferocious Kitten Jun 2021)"; | |
dcterms:modified "2021-10-15T15:03:46.221Z"^^xsd:dateTime . | |
:relationship--1555866c-1eca-4de3-aded-d745fdd47d1c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--be25c1c0-1590-4219-a3d5-6f31799d1d1b; | |
stix:target_ref :attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643; | |
dcterms:created "2022-09-26T18:00:22.254Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "The [FunnyDream](https://attack.mitre.org/software/S1044) FilepakMonitor component can detect removable drive insertion.(Citation: Bitdefender FunnyDream Campaign November 2020)"; | |
dcterms:modified "2022-09-26T18:00:22.254Z"^^xsd:dateTime . | |
:relationship--f4ea1985-0e88-488d-b7ed-ac294719738a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--2a70812b-f1ef-44db-8578-a496a227aef2; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2021-01-07T20:53:11.172Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[NETWIRE](https://attack.mitre.org/software/S0198) can downloaded payloads from C2 to the compromised host.(Citation: FireEye NETWIRE March 2019)(Citation: Proofpoint NETWIRE December 2020)"; | |
dcterms:modified "2023-09-13T18:16:43.590Z"^^xsd:dateTime . | |
:relationship--2db67ddf-b414-4dc7-87ab-0846a8bd1e8e | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--987988f0-cf86-4680-a875-2f6456ab2448; | |
stix:target_ref :attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f; | |
dcterms:created "2020-01-23T19:59:52.898Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Restrict storage and execution of Control Panel items to protected directories, such as <code>C:\\Windows</code>, rather than user directories."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--e8edf0d8-3c24-4082-9177-1bfb6e7d95c6 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--eac3d77f-2b7b-4599-ba74-948dc16633ad; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2020-06-26T16:17:18.217Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Goopy](https://attack.mitre.org/software/S0477) has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.(Citation: Cybereason Cobalt Kitty 2017)"; | |
dcterms:modified "2020-06-29T21:37:56.053Z"^^xsd:dateTime . | |
:relationship--2843ccc2-4869-48a0-8967-b9856a778a2c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Felismus](https://attack.mitre.org/software/S0171) has masqueraded as legitimate Adobe Content Management System files.(Citation: Forcepoint Felismus Mar 2017)"; | |
dcterms:modified "2020-03-17T23:48:42.867Z"^^xsd:dateTime . | |
:relationship--9eeb0de3-2010-4f77-949d-501299902a63 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb; | |
dcterms:created "2022-03-30T14:26:51.834Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly executed processes that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--e711d51c-94d3-4a20-ae11-d3584bae36d9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--727afb95-3d0f-4451-b297-362a43909923; | |
stix:target_ref :attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391; | |
dcterms:created "2021-03-22T21:57:48.752Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ThiefQuest](https://attack.mitre.org/software/S0595) uses a function named <code>is_debugging</code> to perform anti-debugging logic. The function invokes <code>sysctl</code> checking the returned value of <code>P_TRACED</code>. [ThiefQuest](https://attack.mitre.org/software/S0595) also calls <code>ptrace</code> with the <code>PTRACE_DENY_ATTACH</code> flag to prevent debugging.(Citation: wardle evilquest partii)"; | |
dcterms:modified "2022-04-16T15:01:18.203Z"^^xsd:dateTime . | |
:attack-pattern--1988cc35-ced8-4dad-b2d1-7628488fa967 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Disk Wipe"; | |
dcterms:created "2020-02-20T22:02:20.372Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)\n\nOn network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `erase`.(Citation: erase_cmd_cisco)"; | |
dcterms:modified "2023-05-09T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3f0d3b07-9996-40bc-a2c3-6ed7eb39e5fc | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--d505fc8b-2e64-46eb-96d6-9ef7ffca5b66; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2022-03-26T03:47:59.041Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mythic](https://attack.mitre.org/software/S0699) supports HTTP-based C2 profiles.(Citation: Mythc Documentation)\t"; | |
dcterms:modified "2022-03-26T03:47:59.041Z"^^xsd:dateTime . | |
:relationship--6a1d90c0-f103-4e7f-b462-73749407dceb | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485; | |
stix:target_ref :attack-pattern--f4c1826f-a322-41cd-9557-562100848c84; | |
dcterms:created "2022-02-09T19:46:57.209Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Ensure that <code>AllowReversiblePasswordEncryption</code> property is set to disabled unless there are application requirements.(Citation: store_pwd_rev_enc)"; | |
dcterms:modified "2022-02-10T22:26:34.270Z"^^xsd:dateTime . | |
:relationship--00c0e096-f023-4ccc-8567-d1e8c8494cb5 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2020-05-11T21:30:27.895Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts via [Empire](https://attack.mitre.org/software/S0363), gathering various local system information.(Citation: Talos Frankenstein June 2019)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--1770cc28-c49c-4b70-b4d0-6976efaede16 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "A [Patchwork](https://attack.mitre.org/groups/G0040) payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.(Citation: TrendMicro Patchwork Dec 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--4f6975b8-e16e-47ba-b241-b2267c5da4ef | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--b03d5112-e23a-4ac8-add0-be7502d24eff; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2022-09-27T16:21:58.161Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors exfiltrated files and directories of interest from the targeted system.(Citation: FoxIT Wocao December 2019)"; | |
dcterms:modified "2022-09-27T16:21:58.161Z"^^xsd:dateTime . | |
:relationship--5508061c-abeb-4c96-8daf-cb0d612bce08 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--8e44412e-3238-4d64-8878-4f11e27784fe; | |
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e; | |
dcterms:created "2022-06-16T13:09:57.102Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799."; | |
dcterms:modified "2022-06-16T13:09:57.102Z"^^xsd:dateTime . | |
:relationship--e04e9e57-90e8-44f7-8596-0fc5365360e1 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1; | |
stix:target_ref :attack-pattern--70d81154-b187-45f9-8ec5-295d01255979; | |
dcterms:created "2022-03-30T14:26:51.847Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--616bf309-ed87-4573-8640-416e6f05285d | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542; | |
stix:target_ref :attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9; | |
dcterms:created "2021-04-16T21:44:38.728Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to click on a malicous link.(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021)"; | |
dcterms:modified "2023-03-23T19:33:58.651Z"^^xsd:dateTime . | |
:attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Password Guessing"; | |
dcterms:created "2020-02-11T18:38:22.617Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n* SNMP (161/UDP and 162/TCP/UDP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as `wlanAPI`) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625."; | |
dcterms:modified "2023-10-16T16:57:41.743Z"^^xsd:dateTime . | |
:relationship--4d90fd9d-9f9b-45f8-986d-3db43b679905 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--26fed817-e7bf-41f9-829a-9075ffac45c2; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kasidet](https://attack.mitre.org/software/S0088) has the ability to search for a given process name in processes currently running in the system.(Citation: Zscaler Kasidet)"; | |
dcterms:modified "2020-03-16T17:02:26.253Z"^^xsd:dateTime . | |
:relationship--e0e492ef-c67d-4a02-be8d-2e9a650ea6f0 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6; | |
stix:target_ref :attack-pattern--830c9528-df21-472c-8c14-a036bf17d665; | |
dcterms:created "2020-12-03T20:47:09.694Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Turla](https://attack.mitre.org/groups/G0010) has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.(Citation: Accenture HyperStack October 2020)(Citation: ESET Crutch December 2020)"; | |
dcterms:modified "2020-12-04T21:04:06.898Z"^^xsd:dateTime . | |
:relationship--a3ee84d8-139e-4703-97c9-53cdeea94f66 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c; | |
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT28](https://attack.mitre.org/groups/G0007) uses cmd.exe to execute commands and custom backdoors."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:malware--ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa | |
rdf:type stix:Malware; | |
rdfs:label "HermeticWizard"; | |
dcterms:created "2022-03-25T20:47:06.942Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HermeticWizard](https://attack.mitre.org/software/S0698) is a worm that has been used to spread [HermeticWiper](https://attack.mitre.org/software/S0697) in attacks against organizations in Ukraine since at least 2022.(Citation: ESET Hermetic Wizard March 2022)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--6f3caebf-2c07-45de-b2f3-622dc8fcf59e | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c; | |
stix:target_ref :attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92; | |
dcterms:created "2021-03-29T16:51:26.182Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--8b86fa49-6d13-42b4-bd48-814abfd6793f | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4; | |
stix:target_ref :attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27; | |
dcterms:created "2020-06-24T12:42:35.464Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Indicator Removal"; | |
dcterms:created "2017-05-31T21:30:55.892Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\n\nRemoval of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred."; | |
dcterms:modified "2023-05-09T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--86c16ccf-cd37-4c5a-822b-034448056066 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--f63fe421-b1d1-45c0-b8a7-02cd16ff2bed; | |
stix:target_ref :attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db; | |
dcterms:created "2020-01-24T14:26:51.389Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--24892996-c220-4d25-92d8-7db597873090 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4c4a7846-45d5-4761-8eea-725fa989914c; | |
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e; | |
dcterms:created "2022-10-11T19:18:15.522Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Moses Staff](https://attack.mitre.org/groups/G1009) has collected the administrator username from a compromised host.(Citation: Checkpoint MosesStaff Nov 2021)"; | |
dcterms:modified "2022-10-11T19:18:15.522Z"^^xsd:dateTime . | |
:relationship--ba215171-4b5b-407f-931e-0d97ddb64909 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11; | |
stix:target_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616; | |
dcterms:created "2022-01-18T18:56:49.708Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: CrowdStrike AQUATIC PANDA December 2021)"; | |
dcterms:modified "2022-01-18T18:56:49.708Z"^^xsd:dateTime . | |
:relationship--699d04f6-bace-4bf8-af2a-c80c62fcdd23 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--ba6dfa37-f401-4140-88b0-8938f2895e61; | |
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d; | |
dcterms:created "2023-01-04T18:35:19.697Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used its Cloudflare services C2 channels for data exfiltration.(Citation: Mandiant APT41)"; | |
dcterms:modified "2023-01-26T16:43:29.430Z"^^xsd:dateTime . | |
:relationship--d670ddce-d32a-4165-a56e-5bb183f4c904 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ade37ada-14af-4b44-b36c-210eec255d53; | |
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e; | |
dcterms:created "2020-06-19T19:08:40.400Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Valak](https://attack.mitre.org/software/S0476) has the ability to enumerate local admin accounts.(Citation: Cybereason Valak May 2020)"; | |
dcterms:modified "2020-06-22T23:46:45.354Z"^^xsd:dateTime . | |
:relationship--da69efe7-e99e-4d79-a455-c59f4c087b22 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--198db886-47af-4f4c-bff5-11b891f85946; | |
stix:target_ref :attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662; | |
dcterms:created "2019-01-29T17:59:44.519Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Zeus Panda](https://attack.mitre.org/software/S0330) checks processes on the system and if they meet the necessary requirements, it injects into that process.(Citation: GDATA Zeus Panda June 2017)"; | |
dcterms:modified "2020-03-16T19:32:51.125Z"^^xsd:dateTime . | |
:relationship--61929ceb-3933-46f1-a11b-4d67482b1d59 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f8774023-8021-4ece-9aca-383ac89d2759; | |
stix:target_ref :attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475; | |
dcterms:created "2021-01-25T13:58:25.281Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dtrack](https://attack.mitre.org/software/S0567) can collect network and active connection information.(Citation: Securelist Dtrack)"; | |
dcterms:modified "2021-04-26T14:23:04.020Z"^^xsd:dateTime . | |
:relationship--129d828d-a84b-43dc-afc1-f46d8a25de0a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--083bb47b-02c8-4423-81a2-f9ef58572974; | |
stix:target_ref :attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88; | |
dcterms:created "2021-12-08T18:24:25.594Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) can use a network scanning module to identify ICS-related ports.(Citation: Gigamon Berserk Bear October 2021)"; | |
dcterms:modified "2021-12-08T18:24:25.594Z"^^xsd:dateTime . | |
:malware--5763217a-05b6-4edd-9bca-057e47b5e403 | |
rdf:type stix:Malware; | |
rdfs:label "ShimRat"; | |
dcterms:created "2020-05-12T21:28:20.934Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ShimRat](https://attack.mitre.org/software/S0444) has been used by the suspected China-based adversary [Mofang](https://attack.mitre.org/groups/G0103) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name \"[ShimRat](https://attack.mitre.org/software/S0444)\" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--98c5b069-4550-4e12-98b9-701761c4a39a | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--208884f1-7b83-4473-ac22-4e1cf6c41471; | |
dcterms:created "2023-03-08T22:41:29.185Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for abnormal command execution from otherwise non-executable file types (such as `.txt` and `.jpg`). "; | |
dcterms:modified "2023-04-11T22:43:44.996Z"^^xsd:dateTime . | |
:relationship--4cc39e53-3498-4ecc-a316-603f3a47dbf6 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1; | |
dcterms:created "2022-05-06T14:49:39.254Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Analyze process behavior to determine if a process is performing actions it usually does not and/or do no align with its logged command-line arguments.\n\nDetection of process argument spoofing may be difficult as adversaries may momentarily modify stored arguments used for malicious execution. These changes may bypass process creation detection and/or later process memory analysis. Consider monitoring for [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), which includes monitoring for process creation (especially those in a suspended state) as well as access and/or modifications of these processes (especially by the parent process) via Windows API calls.(Citation: Nviso Spoof Command Line 2020)(Citation: Mandiant Endpoint Evading 2019)"; | |
dcterms:modified "2022-05-06T14:49:39.254Z"^^xsd:dateTime . | |
:relationship--f47a9039-b5c0-49e5-9998-2820b075643f | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--115f88dd-0618-4389-83cb-98d33ae81848; | |
stix:target_ref :attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619; | |
dcterms:created "2020-05-12T21:44:41.005Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ShimRatReporter](https://attack.mitre.org/software/S0445) gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators.(Citation: FOX-IT May 2016 Mofang)"; | |
dcterms:modified "2020-05-15T18:47:04.386Z"^^xsd:dateTime . | |
:relationship--cca195e2-b748-4881-b2bf-e6b3b993b460 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1; | |
stix:target_ref :attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab; | |
dcterms:created "2019-05-24T17:02:44.393Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[WIRTE](https://attack.mitre.org/groups/G0090) has used `regsvr32.exe` to trigger the execution of a malicious script.(Citation: Lab52 WIRTE Apr 2019)"; | |
dcterms:modified "2022-04-15T17:04:28.702Z"^^xsd:dateTime . | |
:relationship--f813e8ab-96d7-4880-a3c2-50e164d4bd66 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--4553292d-12c6-4a93-934d-12160370d4e0; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2022-09-16T21:36:39.578Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), malicious files were decoded prior to execution.(Citation: McAfee Honeybee)"; | |
dcterms:modified "2022-09-16T21:36:39.578Z"^^xsd:dateTime . | |
:relationship--4b314d34-1e53-46a4-a3b8-131a19b256d6 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d906e6f7-434c-44c0-b51a-ed50af8f7945; | |
stix:target_ref :attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735; | |
dcterms:created "2019-06-05T17:05:57.768Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[njRAT](https://attack.mitre.org/software/S0385) can identify remote hosts on connected networks.(Citation: Fidelis njRAT June 2013)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--ccdab928-86cd-4e6d-b477-0ec156f6105a | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf; | |
stix:target_ref :attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3; | |
dcterms:created "2022-02-18T15:21:51.169Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has registered multiple domains to facilitate payload staging and C2.(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)"; | |
dcterms:modified "2022-02-21T15:11:39.858Z"^^xsd:dateTime . | |
:relationship--c9fa803b-3d37-49bc-b0b3-ec409ad372fa | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--94d6d788-07bb-4dcc-b62f-e02626b00108; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2021-10-11T15:50:26.291Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SodaMaster](https://attack.mitre.org/software/S0627) can search a list of running processes.(Citation: Securelist APT10 March 2021)"; | |
dcterms:modified "2021-10-11T15:50:26.291Z"^^xsd:dateTime . | |
:relationship--201802a3-afae-4c10-a125-0fc4fd62f1d2 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826; | |
stix:target_ref :tool--b77b563c-34bb-4fb8-86a3-3694338f7b47; | |
dcterms:created "2023-09-06T15:06:34.897Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Bitdefender Sardonic Aug 2021)"; | |
dcterms:modified "2023-09-19T13:34:13.634Z"^^xsd:dateTime . | |
:relationship--ea71022e-7f2a-4065-9cb1-304f85dbaf6d | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258; | |
stix:target_ref :attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735; | |
dcterms:created "2019-07-19T17:27:02.530Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GALLIUM](https://attack.mitre.org/groups/G0093) used a modified version of [NBTscan](https://attack.mitre.org/software/S0590) to identify available NetBIOS name servers over the network as well as <code>ping</code> to identify remote systems.(Citation: Cybereason Soft Cell June 2019)"; | |
dcterms:modified "2021-03-17T16:14:44.277Z"^^xsd:dateTime . | |
:relationship--d75dcb5a-4997-4d2f-b1ba-815ebae54478 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--a7f57cc1-4540-4429-823f-f4e56b8473c9; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2022-06-09T15:40:26.451Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ember Bear](https://attack.mitre.org/groups/G1003) had used `cmd.exe` and Windows Script Host (wscript) to execute malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )"; | |
dcterms:modified "2022-06-09T15:40:26.451Z"^^xsd:dateTime . | |
:relationship--f2dfe70c-701e-4cda-997f-12b91f7eb288 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5; | |
stix:target_ref :attack-pattern--7de1f7ac-5d0c-4c9c-8873-627202205331; | |
dcterms:created "2022-08-03T03:24:18.036Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor certificate-based authentication events, such as EID 4768 when an AD CS certificate is used for Kerberos authentication (especially those that don’t correspond to legitimately issued certificates) or when Secure Channel (`Schannel`, associated with SSL/TLS) is highlighted as the `Logon Process` associated with an EID 4624 logon event.(Citation: SpecterOps Certified Pre Owned)"; | |
dcterms:modified "2022-10-21T20:32:29.699Z"^^xsd:dateTime . | |
:relationship--535e3fbe-e6d9-4608-9689-f8f1f8c1ddc9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--083bb47b-02c8-4423-81a2-f9ef58572974; | |
stix:target_ref :attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) injects itself into explorer.exe.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a8b39fac-bfe0-49c0-957f-8b8ebe2088c1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--532c6004-b1e8-415b-9516-f7c14ba783b1; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2021-09-28T18:53:02.507Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MarkiRAT](https://attack.mitre.org/software/S0652) can masquerade as <code>update.exe</code> and <code>svehost.exe</code>; it has also mimicked legitimate Telegram and Chrome files.(Citation: Kaspersky Ferocious Kitten Jun 2021)"; | |
dcterms:modified "2021-10-15T15:03:46.308Z"^^xsd:dateTime . | |
:relationship--e58cc6e6-cc6c-4a31-9056-e24c8071c736 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc; | |
stix:target_ref :attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0; | |
dcterms:created "2020-10-20T03:34:45.501Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties."; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--98fd9ed1-abf3-4e2f-b071-8aea2dc44a64 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--aad11e34-02ca-4220-91cd-2ed420af4db3; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2020-05-04T19:13:35.457Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HotCroissant](https://attack.mitre.org/software/S0431) can remotely open applications on the infected host with the <code>ShellExecuteA</code> command.(Citation: Carbon Black HotCroissant April 2020)"; | |
dcterms:modified "2020-05-04T19:13:35.457Z"^^xsd:dateTime . | |
:relationship--21d94923-38bb-489d-bc6a-23e03fef7b91 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80; | |
stix:target_ref :malware--dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2; | |
dcterms:created "2020-05-28T14:00:25.604Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Unit 42 MechaFlounder March 2019)"; | |
dcterms:modified "2020-05-28T14:00:25.604Z"^^xsd:dateTime . | |
:attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Firmware Corruption"; | |
dcterms:created "2019-04-12T18:28:15.451Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.\n\nIn general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485). "; | |
dcterms:modified "2022-08-31T17:30:05.440Z"^^xsd:dateTime . | |
:relationship--44cc2a12-21bd-405d-b3d4-ebbf03e28722 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c; | |
stix:target_ref :attack-pattern--ca205a36-c1ad-488b-aa6c-ab34bdd3a36b; | |
dcterms:created "2019-07-18T17:56:46.196Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Identify critical business and system processes that may be targeted by adversaries and work to isolate and secure those systems against unauthorized access and tampering. "; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a1c62ce5-2f11-415f-bca1-c9021530c090 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80; | |
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830; | |
dcterms:created "2019-02-21T21:17:37.986Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT39](https://attack.mitre.org/groups/G0087) has utilized AutoIt and custom scripts to perform internal reconnaissance.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)"; | |
dcterms:modified "2021-10-12T23:00:49.645Z"^^xsd:dateTime . | |
:relationship--48e3f4e2-0506-4b5c-b40c-2c6edc92b0a5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ade37ada-14af-4b44-b36c-210eec255d53; | |
stix:target_ref :attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91; | |
dcterms:created "2020-09-25T17:35:36.444Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Valak](https://attack.mitre.org/software/S0476) can download additional modules and malware capable of using separate C2 channels.(Citation: Unit 42 Valak July 2020)"; | |
dcterms:modified "2020-09-25T17:35:36.444Z"^^xsd:dateTime . | |
:relationship--29e9bfd8-e2d3-4e25-8683-6605d99538de | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf; | |
stix:target_ref :attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5; | |
dcterms:created "2020-08-31T15:06:48.172Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has used rundll32 to launch additional malicious components.(Citation: ESET Gamaredon June 2020)"; | |
dcterms:modified "2020-08-31T15:06:48.172Z"^^xsd:dateTime . | |
:relationship--18ba352d-274c-4cb5-8916-d95035a2423c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--b7f627e2-0817-4cd5-8d50-e75f8aa85cc6; | |
stix:target_ref :attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e; | |
dcterms:created "2023-04-10T17:14:00.713Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LuminousMoth](https://attack.mitre.org/groups/G1014) has hosted malicious payloads on Dropbox.(Citation: Kaspersky LuminousMoth July 2021)"; | |
dcterms:modified "2023-04-10T17:14:00.713Z"^^xsd:dateTime . | |
:relationship--e41eea8b-20d6-4050-96e6-6b59670f6e65 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--979adb5a-dc30-48f0-9e3d-9a26d866928c; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2021-03-12T18:46:47.265Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sibot](https://attack.mitre.org/software/S0589) has modified the Registry to install a second-stage script in the <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot</code>.(Citation: MSTIC NOBELIUM Mar 2021)"; | |
dcterms:modified "2023-03-26T20:12:57.204Z"^^xsd:dateTime . | |
:relationship--f3b8a97f-4e9c-4190-be08-467d136fc943 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ccd61dfc-b03f-4689-8c18-7c97eab08472; | |
stix:target_ref :attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada; | |
dcterms:created "2020-03-20T23:11:09.649Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[CHOPSTICK](https://attack.mitre.org/software/S0023) encrypts C2 communications with TLS.(Citation: ESET Sednit Part 2)"; | |
dcterms:modified "2020-03-20T23:11:09.649Z"^^xsd:dateTime . | |
:relationship--0927eb00-4a08-4ed1-8678-84d6e1e87b98 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d; | |
stix:target_ref :attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b; | |
dcterms:created "2020-03-15T16:03:39.245Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Consider filtering network traffic to untrusted or known bad domains and resources. "; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--6d8147e4-fca3-4348-9376-dd96cc7b9e30 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4b6ec280-7bbb-48ff-ae59-b189520ebe83; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2020-05-06T21:31:07.554Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Okrum](https://attack.mitre.org/software/S0439) can collect the victim username.(Citation: ESET Okrum July 2019)"; | |
dcterms:modified "2020-05-06T21:31:07.554Z"^^xsd:dateTime . | |
:malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7 | |
rdf:type stix:Malware; | |
rdfs:label "OSX/Shlayer"; | |
dcterms:created "2019-08-29T18:52:20.879Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)"; | |
dcterms:modified "2023-08-30T16:28:36.699Z"^^xsd:dateTime . | |
:relationship--ede8d04b-ac86-4210-af8c-52bb75fef6f3 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db; | |
stix:target_ref :attack-pattern--215190a9-9f02-4e83-bb5f-e0589965a302; | |
dcterms:created "2019-07-18T17:31:27.470Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--8996ab0b-8bc5-4c17-9bd5-a29b6c771f62 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--ba6dfa37-f401-4140-88b0-8938f2895e61; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2022-12-20T19:51:29.692Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used file names beginning with USERS, SYSUSER, and SYSLOG for [DEADEYE](https://attack.mitre.org/software/S1052), and changed [KEYPLUG](https://attack.mitre.org/software/S1051) file extensions from .vmp to .upx likely to avoid hunting detections.(Citation: Mandiant APT41)"; | |
dcterms:modified "2023-01-25T21:09:14.791Z"^^xsd:dateTime . | |
:relationship--ba7fad22-26af-43f1-a120-6a4d4269d9ab | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133; | |
stix:target_ref :attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377; | |
dcterms:created "2020-12-18T16:54:50.273Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has executed base64 encoded PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020)"; | |
dcterms:modified "2023-03-22T04:40:20.070Z"^^xsd:dateTime . | |
:relationship--502d4200-719b-4b42-8221-0ecd0ed0d6e7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--04378e79-4387-468a-a8f7-f974b8254e44; | |
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384; | |
dcterms:created "2022-08-24T19:57:43.105Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bumblebee](https://attack.mitre.org/software/S1039) can identify specific analytical tools based on running processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Medium Ali Salem Bumblebee April 2022)"; | |
dcterms:modified "2022-09-06T13:43:26.336Z"^^xsd:dateTime . | |
:relationship--2fb450c6-e236-4b81-b5ac-a9d4be0cf167 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--76abb3ef-dafd-4762-97cb-a35379429db4; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gazer](https://attack.mitre.org/software/S0168) can establish persistence by creating a .lnk file in the Start menu.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)"; | |
dcterms:modified "2020-03-17T01:22:43.612Z"^^xsd:dateTime . | |
:relationship--833c9993-3551-45af-9bbd-413de2d4dac3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11; | |
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384; | |
dcterms:created "2022-01-18T18:04:47.164Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Aquatic Panda](https://attack.mitre.org/groups/G0143) has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)"; | |
dcterms:modified "2022-01-18T18:04:47.164Z"^^xsd:dateTime . | |
:relationship--e40a416e-ca15-4c15-b469-20549b81e6bd | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c; | |
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055; | |
dcterms:created "2020-08-27T17:29:05.225Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has used WMIC to execute remote commands.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)"; | |
dcterms:modified "2023-02-06T18:11:56.981Z"^^xsd:dateTime . | |
:relationship--77b9cc09-ebbe-44cc-86dc-452a9648caef | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8; | |
dcterms:created "2022-03-30T14:26:51.850Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--dfeef37f-a2da-4e85-addb-2bace5fd2de5 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170; | |
stix:target_ref :attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e; | |
dcterms:created "2022-03-30T14:26:51.853Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \"0\" indicates LLMNR is disabled."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--1525d82a-05a7-4027-9d2d-02f8039d68b5 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2022-03-22T15:32:50.210Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ke3chang](https://attack.mitre.org/groups/G0004) has used tools to download files to compromised machines.(Citation: Microsoft NICKEL December 2021)"; | |
dcterms:modified "2022-04-15T17:25:01.727Z"^^xsd:dateTime . | |
:relationship--03aece39-d7a2-47a4-be1a-b1d6f1d72654 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--b7f627e2-0817-4cd5-8d50-e75f8aa85cc6; | |
stix:target_ref :attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b; | |
dcterms:created "2023-02-23T18:19:34.153Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LuminousMoth](https://attack.mitre.org/groups/G1014) has exfiltrated data to Google Drive.(Citation: Bitdefender LuminousMoth July 2021)"; | |
dcterms:modified "2023-04-10T16:01:14.160Z"^^xsd:dateTime . | |
:relationship--26c10016-0df4-4dc0-a74b-4b0d51876965 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4f1c389e-a80e-4a3e-9b0e-9be8c91df64f; | |
stix:target_ref :attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd; | |
dcterms:created "2021-04-06T15:53:34.982Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Doki](https://attack.mitre.org/software/S0600) has used the DynDNS service and a DGA based on the Dogecoin blockchain to generate C2 domains.(Citation: Intezer Doki July 20)"; | |
dcterms:modified "2021-04-09T13:34:40.215Z"^^xsd:dateTime . | |
:relationship--cbf9284f-2f47-4d1f-b708-861b0e1e85b5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--eac3d77f-2b7b-4599-ba74-948dc16633ad; | |
stix:target_ref :attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b; | |
dcterms:created "2020-06-19T21:25:43.678Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Goopy](https://attack.mitre.org/software/S0477) has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.(Citation: Cybereason Cobalt Kitty 2017)"; | |
dcterms:modified "2020-06-29T21:37:55.984Z"^^xsd:dateTime . | |
:relationship--81a6a1c2-a834-47ed-ba5e-3048c62115ff | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--7decb26c-715c-40cf-b7e0-026f7d7cc215; | |
stix:target_ref :attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27; | |
dcterms:created "2022-03-04T18:30:39.100Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--f04dbb1e-bf75-4eee-9222-374c704bc07b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--bdee9574-7479-4073-a7dc-e86d8acd073a; | |
stix:target_ref :attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118; | |
dcterms:created "2022-06-09T14:48:40.963Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MacMa](https://attack.mitre.org/software/S1016) has used TLS encryption to initialize a custom protocol for C2 communications.(Citation: ESET DazzleSpy Jan 2022)"; | |
dcterms:modified "2022-06-09T14:48:40.963Z"^^xsd:dateTime . | |
:relationship--2c7ff110-3d42-4e1c-b53f-449fa6cc6ab9 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96; | |
stix:target_ref :attack-pattern--27960489-4e7f-461d-a62a-f5c0cb521e4a; | |
dcterms:created "2019-08-30T12:55:58.775Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (example: Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of pre-approved applications and deny all others not on the list. Administrators may also block end-user consent through administrative portals, such as the Azure Portal, disabling users from authorizing third-party apps through OAuth and forcing administrative consent.(Citation: Microsoft Azure AD Admin Consent)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--0bb1573c-f30f-449c-931e-c5de024e96f8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5c747acd-47f0-4c5a-b9e5-213541fc01e0; | |
stix:target_ref :attack-pattern--deb98323-e13f-4b0c-8d94-175379069062; | |
dcterms:created "2021-04-25T21:45:21.073Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GoldMax](https://attack.mitre.org/software/S0588) has been packed for obfuscation.(Citation: FireEye SUNSHUTTLE Mar 2021)"; | |
dcterms:modified "2021-04-25T21:45:21.073Z"^^xsd:dateTime . | |
:relationship--8e2b7383-c6dc-40c1-bb88-3176ff98c9dc | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3ae6097d-d700-46c6-8b21-42fc0bcb48fa; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2020-12-23T13:37:53.541Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DropBook](https://attack.mitre.org/software/S0547) can unarchive data downloaded from the C2 to obtain the payload and persistence modules.(Citation: Cybereason Molerats Dec 2020) "; | |
dcterms:modified "2020-12-23T13:37:53.541Z"^^xsd:dateTime . | |
:relationship--747c6b21-0916-43ee-9655-937cc9e9f0ab | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46; | |
stix:target_ref :attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53; | |
dcterms:created "2021-07-07T01:57:06.451Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)"; | |
dcterms:modified "2021-09-20T17:42:18.690Z"^^xsd:dateTime . | |
:relationship--c0792868-a5da-4486-9b3b-cefbc2667e54 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2021-03-05T18:54:56.747Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Higaisa](https://attack.mitre.org/groups/G0126) added a spoofed binary to the start-up folder for persistence.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)"; | |
dcterms:modified "2021-03-05T18:54:56.747Z"^^xsd:dateTime . | |
:relationship--44858dc2-c869-42a0-8f67-3ddd9660b538 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662; | |
stix:target_ref :tool--2fab555f-7664-4623-b4e0-1675ae38190b; | |
dcterms:created "2017-05-31T21:33:27.037Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Mandiant APT1)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--147cd553-fd25-46ea-83ed-594cdb82c440 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3bc7e862-5610-4c02-9c48-15b2e2dc1ddb; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2023-02-14T18:29:52.943Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Woody RAT](https://attack.mitre.org/software/S1065) can retrieve a list of user accounts and usernames from an infected machine.(Citation: MalwareBytes WoodyRAT Aug 2022)"; | |
dcterms:modified "2023-02-14T18:29:52.943Z"^^xsd:dateTime . | |
:intrusion-set--94873029-f950-4268-9cfd-5032e15cb182 | |
rdf:type stix:IntrusionSet; | |
rdfs:label "TA551"; | |
dcterms:created "2021-03-19T21:04:00.692Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)"; | |
dcterms:modified "2023-03-22T05:40:21.255Z"^^xsd:dateTime . | |
:relationship--9774fd36-2d85-4570-9f63-97f2d6c1ca6c | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49; | |
stix:target_ref :attack-pattern--457c7820-d331-465a-915e-42f85500ccc4; | |
dcterms:created "2020-03-27T21:08:25.409Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--591c9a90-95e5-44cc-8a16-2d972c7174e9 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--4d2a5b3e-340d-4600-9123-309dd63c9bf8; | |
dcterms:created "2022-03-30T14:26:51.867Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor executed commands and arguments that may hijack a legitimate user's SSH session to move laterally within an environment."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--ecb0d858-dd15-4181-b15b-76459db1d294 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5967cc93-57c9-404a-8ffd-097edfa7bdfc; | |
stix:target_ref :attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Hi-Zor](https://attack.mitre.org/software/S0087) executes using regsvr32.exe called from the [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001) persistence mechanism.(Citation: Fidelis INOCNATION)"; | |
dcterms:modified "2021-02-09T14:57:16.183Z"^^xsd:dateTime . | |
:relationship--e6884060-8245-46ff-b71f-025c6a82eb3f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f72251cb-2be5-421f-a081-99c29a1209e7; | |
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MacSpy](https://attack.mitre.org/software/S0282) captures keystrokes.(Citation: objsee mac malware 2017)"; | |
dcterms:modified "2020-03-16T17:10:02.084Z"^^xsd:dateTime . | |
:malware--251fbae2-78f6-4de7-84f6-194c727a64ad | |
rdf:type stix:Malware; | |
rdfs:label "Lurid"; | |
dcterms:created "2017-05-31T21:32:14.527Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lurid](https://attack.mitre.org/software/S0010) is a malware family that has been used by several groups, including [PittyTiger](https://attack.mitre.org/groups/G0011), in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--e465cb38-ba50-4d2d-b2cd-659742815317 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--295721d2-ee20-4fa3-ade3-37f4146b4570; | |
stix:target_ref :attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec; | |
dcterms:created "2021-06-11T19:27:09.116Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AppleSeed](https://attack.mitre.org/software/S0622) can find and collect data from removable media devices.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)"; | |
dcterms:modified "2022-04-18T17:53:22.381Z"^^xsd:dateTime . | |
:relationship--2df6acb7-87cc-49be-9cd6-6adbdfdd773f | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--d46272ce-a0fe-4256-855e-738de7bb63ee; | |
stix:target_ref :attack-pattern--144e007b-e638-431d-a894-45d90c54ab90; | |
dcterms:created "2022-03-30T14:26:51.856Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for the unexpected changes to cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--4269e5cb-b2ad-4757-b0b0-bfd5e8b7dc38 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af; | |
stix:target_ref :attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928; | |
dcterms:created "2022-08-19T19:21:57.754Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[EXOTIC LILY](https://attack.mitre.org/groups/G1011) has established social media profiles to mimic employees of targeted companies.(Citation: Google EXOTIC LILY March 2022)"; | |
dcterms:modified "2022-08-19T19:21:57.754Z"^^xsd:dateTime . | |
:relationship--1be18787-844d-4135-9781-e5b6a8e76d14 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--7cd0bc75-055b-4098-a00e-83dc8beaff14; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2019-01-29T18:55:20.763Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Remcos](https://attack.mitre.org/software/S0332) can add itself to the Registry key <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code> for persistence.(Citation: Fortinet Remcos Feb 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--a4346806-c7aa-4fa4-896d-a279ceeaf487 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--808d6b30-df4e-4341-8248-724da4bac650; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2023-03-26T15:11:14.242Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used `cmd.exe` to execute commands on remote machines.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)"; | |
dcterms:modified "2023-03-26T15:11:14.242Z"^^xsd:dateTime . | |
:relationship--55ec954d-e553-4055-bc56-56b9dd0c433f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0c52f5bc-557d-4083-bd27-66d7cdb794bb; | |
stix:target_ref :attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f; | |
dcterms:created "2023-09-06T14:21:40.920Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to execute the `net view` command.(Citation: Bitdefender Sardonic Aug 2021)"; | |
dcterms:modified "2023-09-19T13:34:13.639Z"^^xsd:dateTime . | |
:relationship--f837c70e-984e-4681-ab3a-0ad4ad1a512f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c009560a-f097-45a3-8f9f-78ec1440a783; | |
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32; | |
dcterms:created "2021-11-29T19:16:55.963Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SysUpdate](https://attack.mitre.org/software/S0663) can create a service to establish persistence.(Citation: Trend Micro Iron Tiger April 2021)"; | |
dcterms:modified "2021-11-29T19:16:55.963Z"^^xsd:dateTime . | |
:relationship--56d023cf-4390-40d9-afc6-cb0d40b4cdd1 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c; | |
stix:target_ref :attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643; | |
dcterms:created "2017-05-31T21:33:27.040Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT28](https://attack.mitre.org/groups/G0007) uses a module to receive a notification every time a USB mass storage device is inserted into a victim.(Citation: Microsoft SIR Vol 19)"; | |
dcterms:modified "2019-12-20T14:26:00.564Z"^^xsd:dateTime . | |
:relationship--1f1de0ea-581b-4b41-953f-1b8f552f84e7 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--d2a24649-9694-4c97-9c62-ce7b270bf6a3; | |
stix:target_ref :attack-pattern--457c7820-d331-465a-915e-42f85500ccc4; | |
dcterms:created "2020-03-29T17:17:31.571Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--80d612e4-8d4a-45f7-8c29-d44a1aae794c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2; | |
stix:target_ref :attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073; | |
dcterms:created "2019-01-30T17:33:40.871Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) uses various techniques to bypass UAC.(Citation: ClearSky MuddyWater Nov 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--8b0e9de1-a7b0-479e-aee7-76f2549508c6 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d69c8146-ab35-4d50-8382-6fc80e641d43; | |
stix:target_ref :attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server.(Citation: FireEye APT17)(Citation: FireEye Periscope March 2018)"; | |
dcterms:modified "2020-03-20T21:04:48.996Z"^^xsd:dateTime . | |
:relationship--391c4e76-2560-4a05-9024-1e16b4cdd3ae | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c; | |
stix:target_ref :attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb; | |
dcterms:created "2022-03-30T14:26:51.876Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.(Citation: NSA Cyber Mitigating Web Shells)"; | |
dcterms:modified "2022-03-30T14:26:51.876Z"^^xsd:dateTime . | |
:attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Identify Business Tempo"; | |
dcterms:created "2020-10-02T16:34:32.435Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--926f0751-679b-474e-acd0-06e485afd9f5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e355fc84-6f3c-4888-8e0a-d7fa9c378532; | |
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67; | |
dcterms:created "2022-08-18T15:34:15.069Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[STARWHALE](https://attack.mitre.org/software/S1037) can use the VBScript function `GetRef` as part of its persistence mechanism.(Citation: Mandiant UNC3313 Feb 2022)"; | |
dcterms:modified "2022-10-14T15:23:17.972Z"^^xsd:dateTime . | |
:relationship--9453d60b-4f3f-494f-985d-e29094ef8945 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--fde50aaa-f5de-4cb8-989a-babb57d6a704; | |
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Net Crawler](https://attack.mitre.org/software/S0056) uses [PsExec](https://attack.mitre.org/software/S0029) to perform remote service manipulation to execute a copy of itself as part of lateral movement.(Citation: Cylance Cleaver)"; | |
dcterms:modified "2022-07-22T18:37:22.200Z"^^xsd:dateTime . | |
:relationship--ed91791b-8e5a-4e0c-b77c-6fad78be7378 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "There is a variant of [RATANKBA](https://attack.mitre.org/software/S0241) that uses a PowerShell script instead of the traditional PE form.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)"; | |
dcterms:modified "2020-09-02T18:46:33.031Z"^^xsd:dateTime . | |
:relationship--180f0c7c-c7bb-4131-b831-f406ee0516e2 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--65ffc206-d7c1-45b3-b543-f6b726e7840d; | |
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bisonal](https://attack.mitre.org/software/S0268) variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some [Bisonal](https://attack.mitre.org/software/S0268) samples encrypt C2 communications with RC4.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) "; | |
dcterms:modified "2022-04-18T18:11:05.542Z"^^xsd:dateTime . | |
:relationship--277532f0-8f01-4b9d-b59a-3c993f5e528d | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2023-09-26T18:38:56.338Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used plugins to execute PowerShell scripts.(Citation: MoustachedBouncer ESET August 2023)"; | |
dcterms:modified "2023-09-26T18:38:56.338Z"^^xsd:dateTime . | |
:tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4 | |
rdf:type stix:Tool; | |
rdfs:label "Koadic"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--6157e239-92a8-427f-ba9b-2f06f5b03f12 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5719af9d-6b16-46f9-9b28-fb019541ddbb; | |
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384; | |
dcterms:created "2020-11-30T17:38:40.968Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[NotPetya](https://attack.mitre.org/software/S0368) determines if specific antivirus programs are running on an infected host machine.(Citation: US District Court Indictment GRU Unit 74455 October 2020)"; | |
dcterms:modified "2020-11-30T17:38:40.968Z"^^xsd:dateTime . | |
:relationship--4c42863f-8f57-4948-afe3-922a30f193fa | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5; | |
stix:target_ref :attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9; | |
dcterms:created "2020-10-01T00:54:30.974Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--b335924f-4bf8-4e47-824d-2010add95615 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705; | |
stix:target_ref :attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b; | |
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for new constructed systemd services to repeatedly execute malicious payloads as part of persistence."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--d4e351be-ccdc-4c51-a52a-b4d6a55cbeca | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616; | |
stix:target_ref :attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5; | |
dcterms:created "2021-05-18T18:19:23.351Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use `rundll32.exe` to load DLL from the command line.(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: DFIR Conti Bazar Nov 2021)(Citation: Trend Micro Black Basta October 2022)"; | |
dcterms:modified "2023-02-16T18:58:14.848Z"^^xsd:dateTime . | |
:relationship--5514c844-4f4b-4a07-a98b-60715a1c587f | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71; | |
stix:target_ref :attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735; | |
dcterms:created "2022-03-30T14:26:51.865Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for files (such as <code>/etc/hosts</code>) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.\n\nFor Windows, Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on access attempts of local files that store host data, including C:\\Windows\\System32\\Drivers\\etc\\hosts.\n\nFor Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on access attempts of local files that store host data, including /etc/hosts."; | |
dcterms:modified "2023-08-14T19:07:51.788Z"^^xsd:dateTime . | |
:x-mitre-data-source--3bef4799-906c-409c-ac00-3fb7a1e352e6 | |
rdf:type :MitreDataSource; | |
rdfs:label "Persona"; | |
dcterms:created "2021-10-20T15:05:19.273Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--e5fea1b8-e72c-4d5a-84a7-5545bc2f5dc3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4dea7d8e-af94-4bfb-afe4-7ff54f59308b; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2021-02-17T19:22:30.946Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Conti](https://attack.mitre.org/software/S0575) can utilize command line options to allow an attacker control over how it scans and encrypts files.(Citation: CarbonBlack Conti July 2020)(Citation: DFIR Conti Bazar Nov 2021)"; | |
dcterms:modified "2022-09-30T12:59:47.057Z"^^xsd:dateTime . | |
:relationship--911d412e-9dd7-49ae-ab6a-a078b44a1791 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--18d4ab39-12ed-4a16-9fdb-ae311bba4a0f; | |
stix:target_ref :attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211; | |
dcterms:created "2020-01-15T16:27:32.733Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--adffe817-2460-49c7-be30-44afea58d7f8 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f; | |
stix:target_ref :attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e; | |
dcterms:created "2020-03-24T21:16:16.730Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:course-of-action--cba5667e-e3c6-44a4-811c-266dbc00e440 | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Extra Window Memory Injection Mitigation"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough EWM injection may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)"; | |
dcterms:modified "2021-08-23T20:25:19.367Z"^^xsd:dateTime . | |
:relationship--851b5150-ad44-4af5-915a-845b3239168d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a020a61c-423f-4195-8c46-ba1d21abba37; | |
stix:target_ref :attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee; | |
dcterms:created "2021-03-29T13:01:52.172Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ryuk](https://attack.mitre.org/software/S0446) can launch <code>icacls <path> /grant Everyone:F /T /C /Q</code> to delete every access-based restrictions on files and directories.(Citation: ANSSI RYUK RANSOMWARE)"; | |
dcterms:modified "2021-03-29T13:01:52.172Z"^^xsd:dateTime . | |
:relationship--fbb82f95-94fd-4faf-a106-8c7a7191446e | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc; | |
stix:target_ref :attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f; | |
dcterms:created "2020-10-20T03:37:05.106Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--b91e06c1-9546-4184-9552-ba501bf9182e | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--294e2560-bd48-44b2-9da2-833b5588ad11; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ipconfig](https://attack.mitre.org/software/S0100) can be used to display adapter configuration on Windows systems, including information for TCP/IP, DNS, and DHCP."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--9c203488-e4e0-4e41-8a92-e350eabf6e65 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a; | |
stix:target_ref :tool--afc079f3-c0ea-4096-b75d-3f05338b7f60; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Lazarus KillDisk)"; | |
dcterms:modified "2021-10-21T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--7a64941e-c585-4ded-b0d7-2d7f3d71eaa8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cad3ba95-8c89-4146-ab10-08daa813f9de; | |
stix:target_ref :attack-pattern--c1b68a96-3c48-49ea-a6c0-9b27359f9c19; | |
dcterms:created "2021-07-30T21:03:08.929Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Clop](https://attack.mitre.org/software/S0611) has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the <code>GetTextCharset</code> function.(Citation: Mcafee Clop Aug 2019) "; | |
dcterms:modified "2021-10-14T20:22:46.968Z"^^xsd:dateTime . | |
:relationship--58996a9f-ab17-4942-9afd-bb336af9a15b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f; | |
stix:target_ref :attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49; | |
dcterms:created "2022-03-15T20:02:43.799Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has used a proprietary tool to intercept one time passwords required for two-factor authentication.(Citation: KISA Operation Muzabi)"; | |
dcterms:modified "2022-04-12T18:26:56.015Z"^^xsd:dateTime . | |
:relationship--ec5259f2-5a6c-4d42-bf21-f91c2df64f61 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541; | |
stix:target_ref :attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0; | |
dcterms:created "2020-06-25T18:24:00.644Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[WindTail](https://attack.mitre.org/software/S0466) can instruct the OS to execute an application without a dock icon or menu.(Citation: objective-see windtail1 dec 2018)"; | |
dcterms:modified "2020-06-25T18:24:00.644Z"^^xsd:dateTime . | |
:relationship--ba31b51b-d55c-4047-a3f5-1455bca4caa1 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317; | |
stix:target_ref :attack-pattern--e99ec083-abdd-48de-ad87-4dbf6f8ba2a4; | |
dcterms:created "2019-07-18T15:26:40.751Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--fe1c5e06-ea4b-4286-af2d-984a095f7924 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TYPEFRAME](https://attack.mitre.org/software/S0263) can search directories for files on the victim’s machine.(Citation: US-CERT TYPEFRAME June 2018)"; | |
dcterms:modified "2020-03-17T13:49:31.232Z"^^xsd:dateTime . | |
:relationship--2c78a913-5b17-4942-a6e9-8bfa4c24149b | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d; | |
stix:target_ref :attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea; | |
dcterms:created "2020-03-14T23:23:41.917Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--fe1cd6bf-abca-4032-8c94-15168005e96d | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e; | |
stix:target_ref :attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2; | |
dcterms:created "2022-03-30T14:26:51.854Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for an attempt by a user to gain access to a network or computing resource, often by the use of domain authentication services, such as the System Security Services Daemon (sssd) on Linux.\n\nNotes: For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on changes to log files that track authentication attempts, including <code>/var/log/secure</code>."; | |
dcterms:modified "2023-08-23T21:24:09.270Z"^^xsd:dateTime . | |
:relationship--00490a17-1032-461b-8085-500d56bb80f5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407; | |
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa; | |
dcterms:created "2019-06-05T17:31:22.436Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ursnif](https://attack.mitre.org/software/S0386) has gathered information about running services.(Citation: TrendMicro Ursnif Mar 2015)"; | |
dcterms:modified "2019-10-23T14:19:37.289Z"^^xsd:dateTime . | |
:relationship--9ebc2d8a-a945-4b5d-805f-56e16bcc6676 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783; | |
dcterms:created "2019-09-23T23:08:25.395Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) deployed a Monero cryptocurrency mining tool in a victim’s environment.(Citation: FireEye APT41 Aug 2019)"; | |
dcterms:modified "2023-03-23T15:27:10.535Z"^^xsd:dateTime . | |
:relationship--22301618-a676-4d94-975a-2a56e5a7f919 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e6ef745b-077f-42e1-a37d-29eecff9c754; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[CozyCar](https://attack.mitre.org/software/S0046)'s main method of communicating with its C2 servers is using HTTP or HTTPS.(Citation: F-Secure CozyDuke)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--8f40c44c-80c5-4f9d-a467-6b71f646cdf7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--16040b1c-ed28-4850-9d8f-bb8b81c42092; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2022-04-13T13:17:13.025Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ThreatNeedle](https://attack.mitre.org/software/S0665) can collect data and files from a compromised host.(Citation: Kaspersky ThreatNeedle Feb 2021)"; | |
dcterms:modified "2022-04-13T13:17:13.025Z"^^xsd:dateTime . | |
:relationship--4d7add6f-ebd5-477f-9958-a5176835da2e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee; | |
stix:target_ref :attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[CosmicDuke](https://attack.mitre.org/software/S0050) collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.(Citation: F-Secure The Dukes)"; | |
dcterms:modified "2020-03-19T22:38:12.985Z"^^xsd:dateTime . | |
:relationship--dbccbeab-26c9-476e-b529-c193f9796cbc | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a8d3d497-2da9-4797-8e0b-ed176be08654; | |
stix:target_ref :attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Wingbird](https://attack.mitre.org/software/S0176) exploits CVE-2016-4117 to allow an executable to gain escalated privileges.(Citation: Microsoft SIR Vol 21)"; | |
dcterms:modified "2020-02-11T19:39:04.054Z"^^xsd:dateTime . | |
:malware--21583311-6321-4891-8a37-3eb4e57b0fb1 | |
rdf:type stix:Malware; | |
rdfs:label "xCaon"; | |
dcterms:created "2021-09-29T00:04:26.906Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[xCaon](https://attack.mitre.org/software/S0653) is an HTTP variant of the [BoxCaon](https://attack.mitre.org/software/S0651) malware family that has used by [IndigoZebra](https://attack.mitre.org/groups/G0136) since at least 2014. [xCaon](https://attack.mitre.org/software/S0653) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)"; | |
dcterms:modified "2021-10-16T02:20:16.562Z"^^xsd:dateTime . | |
:relationship--d7836be5-6c99-4a14-90ca-e342455516ab | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--37764c78-2a99-46d1-a7ea-6454b9bf93a0; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2022-09-26T21:48:13.506Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), the threat actors relied on victims executing malicious Microsoft Word or PDF files.(Citation: McAfee Sharpshooter December 2018) "; | |
dcterms:modified "2022-09-26T21:48:13.506Z"^^xsd:dateTime . | |
:relationship--f528d6d4-7118-48f4-a875-310a2f511900 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--467271fd-47c0-4e90-a3f9-d84f5cf790d0; | |
stix:target_ref :malware--d906e6f7-434c-44c0-b51a-ed50af8f7945; | |
dcterms:created "2023-09-15T20:13:08.233Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)"; | |
dcterms:modified "2023-09-15T20:14:41.009Z"^^xsd:dateTime . | |
:relationship--6de233bc-efe2-4dbd-b0a6-994d45f6bc23 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e; | |
stix:target_ref :attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928; | |
dcterms:created "2021-08-18T18:22:07.864Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Leviathan](https://attack.mitre.org/groups/G0065) has created new social media accounts for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--b9ed3f57-0331-431a-96ff-b536c966aa6d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5; | |
stix:target_ref :attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TYPEFRAME](https://attack.mitre.org/software/S0263) variants can add malicious DLL modules as new services."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Sharepoint"; | |
dcterms:created "2020-02-14T13:35:32.938Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--331da7a8-d1ad-4feb-892a-c440aa5eb810 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca; | |
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32; | |
dcterms:created "2021-10-01T01:57:31.713Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has used malware that adds cryptocurrency miners as a service.(Citation: ATT TeamTNT Chimaera September 2020)"; | |
dcterms:modified "2022-10-19T19:39:12.869Z"^^xsd:dateTime . | |
:relationship--8d7957af-a314-4e12-bde6-6148e234ff58 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0; | |
stix:target_ref :attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e; | |
dcterms:created "2020-02-11T19:09:48.749Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--75fcbeab-4f32-4e6d-a02a-9d5509fd4c4f | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc; | |
stix:target_ref :attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b; | |
dcterms:created "2019-04-23T16:12:37.610Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) contains modules, such as <code>Get-LocAdm</code> for enumerating permission groups.(Citation: GitHub PoshC2)"; | |
dcterms:modified "2020-03-18T22:54:27.969Z"^^xsd:dateTime . | |
:relationship--4ca73e82-4e56-4044-a21a-d613a80f171c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2023-09-21T22:50:57.499Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the `rotate` function in reporting.(Citation: Unit42 OceanLotus 2017)"; | |
dcterms:modified "2023-09-21T22:50:57.499Z"^^xsd:dateTime . | |
:relationship--5221fc94-cddd-416a-b027-67bc7a68ced1 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337; | |
stix:target_ref :attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2; | |
dcterms:created "2020-10-01T00:48:09.642Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--6d887394-6007-451e-beb9-0ce76b58ebc3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca; | |
stix:target_ref :tool--79dd477a-8226-4b3d-ad15-28623675f221; | |
dcterms:created "2022-02-08T16:13:42.116Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: TeamTNT Cloud Enumeration)"; | |
dcterms:modified "2022-02-08T16:13:42.116Z"^^xsd:dateTime . | |
:relationship--8ecc61b0-c0b9-4f3a-a6b4-53c88e1d9bb7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--751b77e6-af1f-483b-93fe-eddf17f92a64; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2021-02-10T19:41:52.619Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Caterpillar WebShell](https://attack.mitre.org/software/S0572) has a command to modify a Registry key.(Citation: ClearSky Lebanese Cedar Jan 2021)"; | |
dcterms:modified "2021-02-10T19:41:52.619Z"^^xsd:dateTime . | |
:relationship--7aea964a-cd9b-471e-bc7b-2a270c974289 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c; | |
stix:target_ref :malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--f8aff281-c6e4-47fd-8111-d1720126b49b | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb; | |
stix:target_ref :attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4; | |
dcterms:created "2020-10-20T17:59:21.323Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Enable secure boot features to validate the digital signature of the boot environment and system image using a special purpose hardware device. If the validation check fails, the device will fail to boot preventing loading of unauthorized software. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) "; | |
dcterms:modified "2020-10-22T16:35:54.421Z"^^xsd:dateTime . | |
:relationship--50f39180-6e5a-476b-b18f-d4e09e83c9d9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pteranodon](https://attack.mitre.org/software/S0147) can use HTTP for C2.(Citation: Palo Alto Gamaredon Feb 2017)"; | |
dcterms:modified "2020-06-22T17:54:15.482Z"^^xsd:dateTime . | |
:relationship--e68684df-28b4-4f06-b553-cacf14866605 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--dc5d1a33-62aa-4a0c-aa8c-589b87beb11e; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ChChes](https://attack.mitre.org/software/S0144) copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).(Citation: PWC Cloud Hopper Technical Annex April 2017)"; | |
dcterms:modified "2023-03-23T15:14:18.650Z"^^xsd:dateTime . | |
:relationship--e46d31bf-23d8-4464-96e8-aee04f745921 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2021-11-30T19:26:17.245Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gelsemium](https://attack.mitre.org/software/S0666) has the ability to compress its components.(Citation: ESET Gelsemium June 2021)"; | |
dcterms:modified "2021-11-30T19:26:17.245Z"^^xsd:dateTime . | |
:malware--bdee9574-7479-4073-a7dc-e86d8acd073a | |
rdf:type stix:Malware; | |
rdfs:label "MacMa"; | |
dcterms:created "2022-05-06T01:29:34.860Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022)"; | |
dcterms:modified "2022-10-24T18:52:29.002Z"^^xsd:dateTime . | |
:relationship--e91c647e-7076-4290-b7c4-017822fdfd59 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7e0f8b0f-716e-494d-827e-310bd6ed709e; | |
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e; | |
dcterms:created "2021-09-22T21:17:31.982Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used <code>net.exe user</code> and <code>net.exe users</code> to enumerate local accounts on a compromised host.(Citation: FireEye SMOKEDHAM June 2021)"; | |
dcterms:modified "2021-09-23T13:29:34.251Z"^^xsd:dateTime . | |
:relationship--8d5a5b8c-48a3-4d1c-bb39-89fd4a03bd15 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--98034fef-d9fb-4667-8dc4-2eab6231724c; | |
stix:target_ref :attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db; | |
dcterms:created "2020-01-24T13:40:47.476Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--b033e131-e448-46c6-815b-b86e4bd6d638 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT19](https://attack.mitre.org/groups/G0073) attempted to get users to launch malicious attachments delivered via spearphishing emails.(Citation: FireEye APT19)"; | |
dcterms:modified "2020-03-12T00:28:05.750Z"^^xsd:dateTime . | |
:relationship--97aea4a9-1016-40d0-8869-9b4c4d4eec72 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11; | |
stix:target_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579; | |
dcterms:created "2022-01-18T18:07:56.219Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Aquatic Panda](https://attack.mitre.org/groups/G0143) has attempted to stop endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)"; | |
dcterms:modified "2022-01-18T18:07:56.219Z"^^xsd:dateTime . | |
:tool--115f88dd-0618-4389-83cb-98d33ae81848 | |
rdf:type stix:Tool; | |
rdfs:label "ShimRatReporter"; | |
dcterms:created "2020-05-12T21:29:48.294Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://attack.mitre.org/software/S0444)) as well as set up faux infrastructure which mimics the adversary's targets. [ShimRatReporter](https://attack.mitre.org/software/S0445) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--0d2a66c5-fb8e-4cbb-9526-579b5c9c881c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--876f6a77-fbc5-4e13-ab1a-5611986730a3; | |
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[T9000](https://attack.mitre.org/software/S0098) gathers and beacons the system time during installation.(Citation: Palo Alto T9000 Feb 2016)"; | |
dcterms:modified "2020-03-30T03:07:37.770Z"^^xsd:dateTime . | |
:relationship--feb4ca91-caee-41ae-a955-3c435cc058e0 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b; | |
stix:target_ref :attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee; | |
dcterms:created "2021-01-25T14:25:12.679Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.(Citation: Microsoft Deep Dive Solorigate January 2021)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--02e4c930-ffc1-4bcb-a989-12db90671f90 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4b072c90-bc7a-432b-940e-016fc1c01761; | |
stix:target_ref :attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Keydnap](https://attack.mitre.org/software/S0276) uses a copy of tor2web proxy for HTTPS communications.(Citation: synack 2016 review)"; | |
dcterms:modified "2020-01-17T19:44:36.672Z"^^xsd:dateTime . | |
:relationship--8720f2bc-c099-4d2c-a9b4-faf019bf55a4 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2019-01-31T00:36:41.003Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[KONNI](https://attack.mitre.org/software/S0356) can download files and execute them on the victim’s machine.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021) "; | |
dcterms:modified "2022-01-06T19:47:22.700Z"^^xsd:dateTime . | |
:relationship--5d0c84c6-1f4b-4adf-924a-7b5489bd0933 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3; | |
stix:target_ref :attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c; | |
dcterms:created "2020-02-25T19:19:09.960Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.(Citation: Windows RDP Sessions)"; | |
dcterms:modified "2020-05-20T13:33:51.038Z"^^xsd:dateTime . | |
:relationship--b32b4e03-1469-4a70-8d0b-cd3344e92b3f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8dbadf80-468c-4a62-b817-4e4d8b606887; | |
stix:target_ref :attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9; | |
dcterms:created "2019-05-14T17:08:39.345Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[StoneDrill](https://attack.mitre.org/software/S0380) can wipe the master boot record of an infected computer.(Citation: Symantec Elfin Mar 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--ded85906-e996-45cd-ae64-82adc22397e3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--9559ecaf-2e75-48a7-aee8-9974020bc772; | |
stix:target_ref :malware--f5352566-1a64-49ac-8f7f-97e1d1a03300; | |
dcterms:created "2017-05-31T21:33:27.078Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2018-04-18T17:59:24.739Z"^^xsd:dateTime . | |
:relationship--cbbaed8a-28ce-4cea-bbb9-ea200dcf9e66 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--0dcbbf4f-929c-489a-b66b-9b820d3f7f0e; | |
stix:target_ref :attack-pattern--84771bc3-f6a0-403e-b144-01af70e5fda0; | |
dcterms:created "2022-03-30T14:26:51.870Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "If infrastructure or patterns in malware, tooling, certificates, or malicious web content have been previously identified, internet scanning may uncover when an adversary has staged their capabilities.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as initial access and post-compromise behaviors."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--5047ac79-8ed7-4f22-bfa2-fad8195f72b8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--835a79f1-842d-472d-b8f4-d54b545c341b; | |
stix:target_ref :attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643; | |
dcterms:created "2021-06-04T16:28:59.507Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bandook](https://attack.mitre.org/software/S0234) can detect USB devices.(Citation: EFF Manul Aug 2016)"; | |
dcterms:modified "2021-06-04T16:28:59.507Z"^^xsd:dateTime . | |
:relationship--8e824b6e-a0b7-4a57-9a7e-89b2c390beec | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2022-04-14T20:02:28.417Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PlugX](https://attack.mitre.org/software/S0013) has been disguised as legitimate Adobe and PotPlayer files.(Citation: Proofpoint TA416 Europe March 2022)"; | |
dcterms:modified "2022-04-14T20:02:28.417Z"^^xsd:dateTime . | |
:relationship--4f41a697-db81-4df8-8b46-a59d294112fa | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--aa73efef-1418-4dbe-b43c-87a498e97234; | |
stix:target_ref :attack-pattern--e01be9c5-e763-4caf-aeb7-000b416aef67; | |
dcterms:created "2023-03-31T17:37:21.531Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) added a login to a SQL Server with `sp_addlinkedsrvlogin`.(Citation: Dragos Crashoverride 2018)"; | |
dcterms:modified "2023-04-07T19:50:30.910Z"^^xsd:dateTime . | |
:relationship--0afa86ee-1253-4f15-87a8-abb46422313b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fd66436e-4d33-450e-ac4c-f7810f1c85f4; | |
stix:target_ref :attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d; | |
dcterms:created "2023-07-28T16:48:29.357Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FIN13](https://attack.mitre.org/groups/G1016) has leveraged default credentials for authenticating myWebMethods (WMS) and QLogic web management interface to gain initial access.(Citation: Sygnia Elephant Beetle Jan 2022)"; | |
dcterms:modified "2023-07-28T16:48:29.357Z"^^xsd:dateTime . | |
:relationship--6ea6ad5d-28f1-425c-a2e9-c51a12b14d87 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Honeybee](https://attack.mitre.org/groups/G0072)'s service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.(Citation: McAfee Honeybee)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "User Execution"; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--b1ef4ee2-30bc-4f25-9e77-cf9d6cc576a8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--835a79f1-842d-472d-b8f4-d54b545c341b; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2021-05-31T16:31:47.812Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bandook](https://attack.mitre.org/software/S0234) has a command to get the public IP address from a system.(Citation: CheckPoint Bandook Nov 2020) "; | |
dcterms:modified "2021-05-31T16:31:47.812Z"^^xsd:dateTime . | |
:relationship--19198d4f-e858-4288-a7cb-e2ec03134de7 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8; | |
stix:target_ref :attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd; | |
dcterms:created "2022-03-30T14:26:51.869Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for modification of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. Modification of files considers actions such as renaming and directory moving."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--7ac04e64-a09e-4a66-b6ce-047030400045 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--32066e94-3112-48ca-b9eb-ba2b59d2f023; | |
stix:target_ref :attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8; | |
dcterms:created "2020-03-19T22:47:20.671Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Emotet](https://attack.mitre.org/software/S0367) has been observed dropping browser password grabber modules. (Citation: Trend Micro Emotet Jan 2019)(Citation: IBM IcedID November 2017)"; | |
dcterms:modified "2020-07-15T18:05:15.624Z"^^xsd:dateTime . | |
:relationship--ab4d7a1b-2b5a-44b6-a363-363d3f3f6e05 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--95e2cbae-d82c-4f7b-b63c-16462015d35d; | |
stix:target_ref :attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0; | |
dcterms:created "2021-05-05T13:48:03.687Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LiteDuke](https://attack.mitre.org/software/S0513) can wait 30 seconds before executing additional code if security software is detected.(Citation: ESET Dukes October 2019)"; | |
dcterms:modified "2021-05-05T13:48:03.687Z"^^xsd:dateTime . | |
:x-mitre-data-component--ff9b665a-598b-4bcb-8b2a-a87566aa1256 | |
rdf:type :MitreDataComponent; | |
rdfs:label "Domain Registration"; | |
dcterms:created "2021-10-20T15:05:19.275Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Information about domain name assignments and other domain metadata (ex: WHOIS)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--736a676f-7a27-4459-9dab-22d214a4db9e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d; | |
stix:target_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579; | |
dcterms:created "2022-10-17T16:10:10.001Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TA505](https://attack.mitre.org/groups/G0092) has used malware to disable Windows Defender.(Citation: Korean FSI TA505 2020)"; | |
dcterms:modified "2022-10-17T16:10:10.001Z"^^xsd:dateTime . | |
:relationship--9ea7df8f-3720-4153-8090-4f1a18ecefac | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--22b17791-45bf-45c0-9322-ff1a0af5cf2b; | |
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32; | |
dcterms:created "2021-07-02T15:57:45.256Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Nebulae](https://attack.mitre.org/software/S0630) can create a service to establish persistence.(Citation: Bitdefender Naikon April 2021)"; | |
dcterms:modified "2021-07-02T15:57:45.256Z"^^xsd:dateTime . | |
:relationship--33823f15-f43f-41ef-bc14-7dea2ab21acf | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8393dac0-0583-456a-9372-fd81691bca20; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2020-08-24T13:40:23.074Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PipeMon](https://attack.mitre.org/software/S0501) has modified the Registry to store its encrypted payload.(Citation: ESET PipeMon May 2020)"; | |
dcterms:modified "2023-03-26T19:39:13.881Z"^^xsd:dateTime . | |
:relationship--d22af09f-5536-4416-827c-e401cfae3002 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f; | |
stix:target_ref :tool--03342581-f790-4f03-ba41-e82e67392e23; | |
dcterms:created "2019-04-10T15:21:29.533Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Symantec Elfin Mar 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--6765828a-168f-4dd7-8c1b-00f7d98daef5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--bdb27a1d-1844-42f1-a0c0-826027ae0326; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2019-05-02T01:07:37.020Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Revenge RAT](https://attack.mitre.org/software/S0379) collects the CPU information, OS information, and system language.(Citation: Cylance Shaheen Nov 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--70b511c9-5a2c-4810-87b6-73dfc648ec29 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9; | |
stix:target_ref :attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1; | |
dcterms:created "2020-06-23T19:03:15.337Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Anti-virus can be used to automatically quarantine suspicious files. "; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a581fb2c-604a-4417-b782-cafd76b11c37 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a; | |
stix:target_ref :attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc; | |
dcterms:created "2020-10-19T04:16:36.949Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Users can be trained to identify social engineering techniques and spearphishing attempts."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Create Cloud Instance"; | |
dcterms:created "2020-05-14T14:45:15.978Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a6ef1c3f-291a-4ccb-961b-45a8b92effbe | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db; | |
stix:target_ref :attack-pattern--04ef4356-8926-45e2-9441-634b6f3dcecb; | |
dcterms:created "2019-07-18T15:28:31.824Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Whitelist applications via known hashes."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--7c817fbc-5dff-4059-8230-b8040dabde61 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc; | |
stix:target_ref :attack-pattern--31fe0ba2-62fd-4fd9-9293-4043d84f7fe9; | |
dcterms:created "2021-04-16T03:01:55.663Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--f0a36615-b3eb-47d5-8a2a-9d7429643a0a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--802a874d-7463-4f2a-99e3-6a1f5a919a21; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2023-03-31T20:31:09.627Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Royal](https://attack.mitre.org/software/S1073) can use `GetCurrentProcess` to enumerate processes.(Citation: Cybereason Royal December 2022)"; | |
dcterms:modified "2023-03-31T20:31:09.627Z"^^xsd:dateTime . | |
:relationship--e7740e58-d87c-44c4-907c-f66b88851ffc | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c; | |
stix:target_ref :tool--b63970b7-ddfb-4aee-97b1-80d335e033a8; | |
dcterms:created "2021-03-17T16:21:47.087Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Dell TG-3390)(Citation: Trend Micro DRBControl February 2020)"; | |
dcterms:modified "2022-04-11T16:21:36.766Z"^^xsd:dateTime . | |
:relationship--24caab23-239c-4012-bb62-5b843f1ff767 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c113230f-f044-423b-af63-9b63c802f5ae; | |
stix:target_ref :attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9; | |
dcterms:created "2022-06-09T19:51:06.415Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OutSteel](https://attack.mitre.org/software/S1017) has relied on a user to click a malicious link within a spearphishing email.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )"; | |
dcterms:modified "2022-06-09T19:51:06.415Z"^^xsd:dateTime . | |
:relationship--2e165a8a-928e-488e-ad16-afb77a94b460 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2019-01-30T14:26:43.110Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gallmaker](https://attack.mitre.org/groups/G0084) obfuscated shellcode used during execution.(Citation: Symantec Gallmaker Oct 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--baa9bb45-b4d2-4eea-803f-d2d1126330d4 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c; | |
stix:target_ref :malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye APT37 Feb 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--8e7ff07b-7a32-4ced-ac22-b523586dbde3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8; | |
stix:target_ref :attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Remsec](https://attack.mitre.org/software/S0125) has a package that collects documents from any inserted USB sticks.(Citation: Kaspersky ProjectSauron Technical Analysis)"; | |
dcterms:modified "2020-03-11T17:45:33.708Z"^^xsd:dateTime . | |
:course-of-action--96150c35-466f-4f0a-97a9-ae87ee27f751 | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Bootkit Mitigation"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform this action. Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)"; | |
dcterms:modified "2020-04-23T19:10:28.284Z"^^xsd:dateTime . | |
:relationship--76ca2629-da20-42ce-95e1-b9f93406a87c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Linfo](https://attack.mitre.org/software/S0211) creates a backdoor through which remote attackers can start a remote shell.(Citation: Symantec Linfo May 2012)"; | |
dcterms:modified "2020-03-20T02:11:07.211Z"^^xsd:dateTime . | |
:relationship--7ce75658-c5ea-484d-ab1d-2dca045a244b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--59c8a28c-200c-4565-9af1-cbdb24870ba0; | |
stix:target_ref :attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72; | |
dcterms:created "2022-03-21T22:57:40.656Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Green Lambert](https://attack.mitre.org/software/S0690) can use DNS for C2 communications.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)"; | |
dcterms:modified "2022-03-21T22:57:40.656Z"^^xsd:dateTime . | |
:relationship--74fd87b9-3aff-4278-a408-11ae470082e5 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dark Caracal](https://attack.mitre.org/groups/G0070)'s version of [Bandook](https://attack.mitre.org/software/S0234) adds a registry key to <code>HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code> for persistence.(Citation: Lookout Dark Caracal Jan 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--6c42fa31-80df-4d67-92d2-4273c22a4d5b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb; | |
stix:target_ref :attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a; | |
dcterms:created "2019-06-28T13:52:51.413Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LightNeuron](https://attack.mitre.org/software/S0395) collects Exchange emails matching rules specified in its configuration.(Citation: ESET LightNeuron May 2019)"; | |
dcterms:modified "2020-03-17T16:29:51.887Z"^^xsd:dateTime . | |
:relationship--7a75d200-29f5-4f8a-b052-bcbe4e5ca236 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c; | |
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597; | |
dcterms:created "2020-03-02T19:05:18.271Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--5c039dbf-c443-4f9b-b036-fcabaed74a3b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--feb2d7bb-aacb-48df-ad04-ccf41a30cd90; | |
stix:target_ref :attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c; | |
dcterms:created "2020-11-17T18:39:06.904Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has named a service it establishes on victim machines as \"TaskFrame\" to hide its malicious purpose.(Citation: CISA MAR SLOTHFULMEDIA October 2020) "; | |
dcterms:modified "2020-11-17T18:39:06.904Z"^^xsd:dateTime . | |
:relationship--97e31242-661f-4aae-866d-26d32fbb88c4 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1; | |
stix:target_ref :attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42; | |
dcterms:created "2022-03-30T14:26:51.860Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)"; | |
dcterms:modified "2022-03-30T14:26:51.860Z"^^xsd:dateTime . | |
:relationship--1477187e-7bd8-4622-8c2d-e5978c1fd29f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e8545794-b98c-492b-a5b3-4b5a02682e37; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2019-01-30T17:13:11.897Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[POWERSTATS](https://attack.mitre.org/software/S0223) can deobfuscate the main backdoor code.(Citation: ClearSky MuddyWater Nov 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--5e4ec089-c86d-4684-9783-af348d4aaa14 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1; | |
stix:target_ref :attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Dragonfly used remote access services, including VPN and Outlook Web Access (OWA)."; | |
dcterms:modified "2018-10-23T00:14:20.652Z"^^xsd:dateTime . | |
:attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Hide Artifacts"; | |
dcterms:created "2020-02-26T17:41:25.933Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--22af1cbd-a7fd-4d9f-ba15-d640c217603e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd; | |
dcterms:created "2019-09-23T23:18:23.730Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye APT41 Aug 2019)"; | |
dcterms:modified "2023-03-23T15:27:10.504Z"^^xsd:dateTime . | |
:relationship--8303719d-b2ed-4860-9af4-57b636c4f865 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc; | |
stix:target_ref :attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd; | |
dcterms:created "2019-04-23T12:38:37.626Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) has modules for brute forcing local administrator and AD user accounts.(Citation: GitHub PoshC2)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--05a3d203-4b38-4f38-a015-dcfe3bdf9c07 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51; | |
stix:target_ref :attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b; | |
dcterms:created "2021-02-10T18:41:29.203Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ebury](https://attack.mitre.org/software/S0377) has used user mode rootkit techniques to remain hidden on the system.(Citation: ESET Ebury Oct 2017)"; | |
dcterms:modified "2021-02-10T18:41:29.204Z"^^xsd:dateTime . | |
:relationship--e79c9756-9b81-4711-8e35-6ea330f152a1 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd; | |
stix:target_ref :attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e; | |
dcterms:created "2022-03-30T14:26:51.863Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for changes made on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI"; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3a9117f6-9244-4d09-a69b-43afbb4d2998 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf; | |
stix:target_ref :attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688; | |
dcterms:created "2020-06-16T17:53:18.390Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gamaredon Group](https://attack.mitre.org/groups/G0047)'s malware can take screenshots of the compromised computer every minute.(Citation: ESET Gamaredon June 2020)\t"; | |
dcterms:modified "2020-06-16T17:53:18.390Z"^^xsd:dateTime . | |
:relationship--3d78512d-1a97-4132-8d8f-cd9ceaf03246 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f; | |
stix:target_ref :attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3; | |
dcterms:created "2021-06-10T14:42:56.938Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.(Citation: Malwarebytes Kimsuky June 2021)"; | |
dcterms:modified "2021-06-10T14:42:56.938Z"^^xsd:dateTime . | |
:relationship--62192379-d052-4618-be33-8511d636c67c | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b; | |
stix:target_ref :attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd; | |
dcterms:created "2023-03-17T14:56:40.450Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) performed brute force attacks against administrator accounts.(Citation: ESET Lazarus Jun 2020) "; | |
dcterms:modified "2023-04-07T16:40:27.254Z"^^xsd:dateTime . | |
:relationship--03a2f02b-ca0c-4366-8880-6cb6015fd722 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d23de441-f9cf-4802-b1ff-f588a11a896b; | |
stix:target_ref :attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f; | |
dcterms:created "2022-07-08T14:14:43.779Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[CreepySnail](https://attack.mitre.org/software/S1024) can use stolen credentials to authenticate on target networks.(Citation: Microsoft POLONIUM June 2022)"; | |
dcterms:modified "2022-07-25T16:18:35.128Z"^^xsd:dateTime . | |
:relationship--c5a8316e-f45c-432d-beb3-d8de4785dba3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--03acae53-9b98-46f6-b204-16b930839055; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2022-04-11T17:18:45.080Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RCSession](https://attack.mitre.org/software/S0662) can collect data from a compromised host.(Citation: Profero APT27 December 2020)(Citation: Trend Micro DRBControl February 2020)"; | |
dcterms:modified "2023-03-26T20:05:38.086Z"^^xsd:dateTime . | |
:malware--308b3d68-a084-4dfb-885a-3125e1a9c1e8 | |
rdf:type stix:Malware; | |
rdfs:label "GreyEnergy"; | |
dcterms:created "2019-01-30T13:53:14.264Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--4a419b18-5fb2-43a0-8c0a-6521b8d9de63 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f8dfbc54-b070-4224-b560-79aaa5f835bd; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[H1N1](https://attack.mitre.org/software/S0132) kills and disables services by using cmd.exe.(Citation: Cisco H1N1 Part 2)"; | |
dcterms:modified "2020-03-20T02:27:41.213Z"^^xsd:dateTime . | |
:relationship--b6a22f6c-e7a4-499e-9732-afb37a4e5254 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--c63a348e-ffc2-486a-b9d9-d7f11ec54d99; | |
dcterms:created "2022-03-30T14:26:51.858Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly constructed processes and/or command-lines that execute logon scripts"; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--7e7c0aa8-a17e-4079-b1fd-188977cf1a6e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--687c23e4-4e25-4ee7-a870-c5e002511f54; | |
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c; | |
dcterms:created "2020-05-13T19:59:39.312Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DustySky](https://attack.mitre.org/software/S0062) created folders in temp directories to host collected files before exfiltration.(Citation: Kaspersky MoleRATs April 2019)"; | |
dcterms:modified "2020-05-13T19:59:39.312Z"^^xsd:dateTime . | |
:relationship--ad4a2d0b-a268-4334-903c-153858088138 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e; | |
stix:target_ref :attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d; | |
dcterms:created "2021-08-31T15:25:13.471Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Leviathan](https://attack.mitre.org/groups/G0065) has utilized OLE as a method to insert malicious content inside various phishing documents. (Citation: Accenture MUDCARP March 2019)"; | |
dcterms:modified "2021-08-31T15:25:13.471Z"^^xsd:dateTime . | |
:x-mitre-data-component--2e521444-7295-4dec-96c1-7595b2df7811 | |
rdf:type :MitreDataComponent; | |
rdfs:label "Active DNS"; | |
dcterms:created "2021-10-20T15:05:19.275Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)"; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c08ebacd-b5e4-48c3-8ee6-389c635801da | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--bdee9574-7479-4073-a7dc-e86d8acd073a; | |
stix:target_ref :attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56; | |
dcterms:created "2022-06-09T14:44:16.021Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MacMa](https://attack.mitre.org/software/S1016) can execute supplied shell commands and uses bash scripts to perform additional actions.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)"; | |
dcterms:modified "2022-06-30T21:25:02.663Z"^^xsd:dateTime . | |
:relationship--aee0bd8a-1900-448b-bd88-5493f9ed8d28 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1; | |
stix:target_ref :attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d; | |
dcterms:created "2020-05-14T21:40:31.248Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sharpshooter](https://attack.mitre.org/groups/G0104) has leveraged embedded shellcode to inject a downloader into the memory of Word.(Citation: McAfee Sharpshooter December 2018)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--fe8a320f-e5e5-4503-8c3a-5c21b628a61d | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c; | |
stix:target_ref :attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Threat Group-3390](https://attack.mitre.org/groups/G0027) has used `net use` and `netstat` to conduct internal discovery of systems. The group has also used `quser.exe` to identify existing RDP sessions on a victim.(Citation: SecureWorks BRONZE UNION June 2017)"; | |
dcterms:modified "2022-04-11T16:27:36.517Z"^^xsd:dateTime . | |
:relationship--b94e707d-b2f8-4b68-acac-44d3777dd93f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5; | |
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RedLeaves](https://attack.mitre.org/software/S0153) has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.(Citation: PWC Cloud Hopper Technical Annex April 2017)"; | |
dcterms:modified "2023-03-23T15:14:18.638Z"^^xsd:dateTime . | |
:attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Drive-by Compromise"; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting\n* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary\n* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)"; | |
dcterms:modified "2023-05-09T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--728dce0a-125c-4d66-8622-36d4d909352b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e; | |
stix:target_ref :attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Leviathan](https://attack.mitre.org/groups/G0065) has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--eed81627-aed7-477a-91e2-7be09c3d68e6 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64; | |
dcterms:created "2022-03-30T14:26:51.839Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly executed processes that are associated with COM objects, especially those invoked by a user different than the one currently logged on."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--1e27ff4a-fa86-46b1-8aea-748ec398b47e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c; | |
stix:target_ref :malware--8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye APT37 Feb 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--43ab17df-742f-4bc5-815a-7da2feed73f0 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--6a5947f3-1a36-4653-8734-526df3e1d28d; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2023-09-20T18:15:42.222Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AsyncRAT](https://attack.mitre.org/software/S1087) can check the disk size through the values obtained with `DeviceInfo.`(Citation: Telefonica Snip3 December 2021)"; | |
dcterms:modified "2023-09-20T18:36:12.828Z"^^xsd:dateTime . | |
:relationship--ec456b9e-db3e-44df-8288-adf086a0c0bb | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--987988f0-cf86-4680-a875-2f6456ab2448; | |
stix:target_ref :attack-pattern--c1b11bf7-c68e-4fbf-a95b-28efbe7953bb; | |
dcterms:created "2019-06-24T11:01:58.826Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c87a4238-eaec-4df1-b8b4-3f69aded080a | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--7f70fae7-a68d-4730-a83a-f260b9606129; | |
stix:target_ref :attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d; | |
dcterms:created "2022-03-30T14:26:51.833Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)"; | |
dcterms:modified "2022-03-30T14:26:51.833Z"^^xsd:dateTime . | |
:relationship--72b03734-7e03-4cfe-8f0f-2d366febfb79 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2019-06-05T17:31:22.358Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ursnif](https://attack.mitre.org/software/S0386) has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.(Citation: TrendMicro Ursnif Mar 2015)"; | |
dcterms:modified "2020-03-18T16:10:39.776Z"^^xsd:dateTime . | |
:relationship--1955e188-265f-41db-aebd-4a7cab2e515b | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705; | |
stix:target_ref :attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a; | |
dcterms:created "2021-11-10T09:30:48.736232Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c257d040-c058-42db-ad75-1abb7b06e616 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f; | |
stix:target_ref :malware--8bdfe255-e658-4ddd-a11c-b854762e451d; | |
dcterms:created "2020-11-06T19:01:02.254Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Cybereason Kimsuky November 2020)"; | |
dcterms:modified "2020-11-06T19:01:02.254Z"^^xsd:dateTime . | |
:relationship--bd315928-0b74-491c-b526-ee5e1841842b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--94379dec-5c87-49db-b36e-66abc0b81344; | |
stix:target_ref :attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Derusbi](https://attack.mitre.org/software/S0021) beacons to destination port 443.(Citation: Fidelis Turbo)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--dc0cf30b-ec44-4b5a-8c45-f93e48974a05 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce; | |
stix:target_ref :attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.(Citation: ESET InvisiMole June 2018)"; | |
dcterms:modified "2020-03-17T00:09:26.264Z"^^xsd:dateTime . | |
:relationship--9a8ca137-d0ec-4861-ad1b-0686bf6ac4c9 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb; | |
stix:target_ref :attack-pattern--51ea26b1-ff1e-4faa-b1a0-1114cd298c87; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--0b4cd78b-e0af-4123-b2aa-02ad66cca419 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--79499993-a8d6-45eb-b343-bf58dea5bdde; | |
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Briba](https://attack.mitre.org/software/S0204) installs a service pointing to a malicious DLL dropped to disk.(Citation: Symantec Briba May 2012)"; | |
dcterms:modified "2021-02-09T14:56:14.783Z"^^xsd:dateTime . | |
:relationship--4053d6f5-e594-4b52-96a2-2b7c0fa7d332 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Comnie](https://attack.mitre.org/software/S0244) uses <code>ipconfig /all</code> and <code>route PRINT</code> to identify network adapter and interface information.(Citation: Palo Alto Comnie)"; | |
dcterms:modified "2020-03-17T00:43:32.010Z"^^xsd:dateTime . | |
:relationship--cdd38074-895f-40e8-85fb-acc1aa4ecb69 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ke3chang](https://attack.mitre.org/groups/G0004) has used batch scripts in its malware to install persistence mechanisms.(Citation: NCC Group APT15 Alive and Strong)"; | |
dcterms:modified "2021-03-29T19:54:46.285Z"^^xsd:dateTime . | |
:relationship--f5cc5037-067a-4e29-90c4-775152d76a8f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0715560d-4299-4e84-9e20-6e80ab57e4f2; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2022-02-02T13:03:25.614Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Torisma](https://attack.mitre.org/software/S0678) can collect the local MAC address using `GetAdaptersInfo` as well as the system's IP address.(Citation: McAfee Lazarus Nov 2020)"; | |
dcterms:modified "2022-04-13T20:21:52.383Z"^^xsd:dateTime . | |
:relationship--0ef0077e-ee87-4e67-a466-2085a9148fc9 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6; | |
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67; | |
dcterms:created "2019-01-31T02:01:45.707Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FIN4](https://attack.mitre.org/groups/G0085) has used VBA macros to display a dialog box and collect victim credentials.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)"; | |
dcterms:modified "2023-02-01T21:27:44.785Z"^^xsd:dateTime . | |
:malware--8bdfe255-e658-4ddd-a11c-b854762e451d | |
rdf:type stix:Malware; | |
rdfs:label "KGH_SPY"; | |
dcterms:created "2020-11-06T18:58:35.456Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[KGH_SPY](https://attack.mitre.org/software/S0526) is a modular suite of tools used by [Kimsuky](https://attack.mitre.org/groups/G0094) for reconnaissance, information stealing, and backdoor capabilities. [KGH_SPY](https://attack.mitre.org/software/S0526) derived its name from PDB paths and internal names found in samples containing \"KGH\".(Citation: Cybereason Kimsuky November 2020)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--0a507d28-ef6b-417b-a968-e82608e8b6a8 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Magic Hound](https://attack.mitre.org/groups/G0059) malware has used Registry Run keys to establish persistence.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)"; | |
dcterms:modified "2023-01-12T20:29:53.513Z"^^xsd:dateTime . | |
:relationship--53d7fdab-05fb-4427-b0e0-11463e05b3f3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--16040b1c-ed28-4850-9d8f-bb8b81c42092; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2021-11-30T16:13:37.290Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ThreatNeedle](https://attack.mitre.org/software/S0665) can collect system profile information from a compromised host.(Citation: Kaspersky ThreatNeedle Feb 2021)"; | |
dcterms:modified "2022-04-13T13:20:08.961Z"^^xsd:dateTime . | |
:relationship--23c6c48b-f602-43f9-9c23-d4e46fba9194 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dark Caracal](https://attack.mitre.org/groups/G0070)'s version of [Bandook](https://attack.mitre.org/software/S0234) communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.(Citation: Lookout Dark Caracal Jan 2018)"; | |
dcterms:modified "2020-03-17T00:51:35.118Z"^^xsd:dateTime . | |
:relationship--cc89825f-1180-40df-8353-ce8b42a848a5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51; | |
stix:target_ref :attack-pattern--c1b11bf7-c68e-4fbf-a95b-28efbe7953bb; | |
dcterms:created "2019-04-23T15:49:35.557Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ebury](https://attack.mitre.org/software/S0377) has hijacked the OpenSSH process by injecting into the existing session as opposed to creating a new session."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--c1884e62-7b2e-45a1-89fd-c76b1b717f50 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a60657fa-e2e7-4f8f-8128-a882534ae8c5; | |
stix:target_ref :attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OwaAuth](https://attack.mitre.org/software/S0072) has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL.(Citation: Dell TG-3390)"; | |
dcterms:modified "2021-06-17T19:03:17.474Z"^^xsd:dateTime . | |
:relationship--283bdd5f-f356-43a2-864c-6f8211073d45 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--96566860-9f11-4b6f-964d-1c924e4f24a4; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Starloader](https://attack.mitre.org/software/S0188) decrypts and executes shellcode from a file called Stars.jps.(Citation: Symantec Sowbug Nov 2017)"; | |
dcterms:modified "2020-03-18T16:01:37.932Z"^^xsd:dateTime . | |
:relationship--90974f03-7f61-479e-bceb-6f26872d4812 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce; | |
stix:target_ref :attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.(Citation: ESET InvisiMole June 2018)"; | |
dcterms:modified "2020-03-23T16:40:20.061Z"^^xsd:dateTime . | |
:relationship--924b50b9-7de3-4036-b732-c87d08971122 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--326af1cd-78e7-45b7-a326-125d2f7ef8f2; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2021-09-07T14:18:54.884Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Crimson](https://attack.mitre.org/software/S0115) can set a Registry key to determine how long it has been installed and possibly to indicate the version number.(Citation: Proofpoint Operation Transparent Tribe March 2016)"; | |
dcterms:modified "2021-10-15T14:37:09.926Z"^^xsd:dateTime . | |
:relationship--d37d5ca7-59f1-4938-83a6-64d30675a386 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--64122557-5940-4271-9123-25bfc0c693db; | |
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597; | |
dcterms:created "2020-11-10T19:09:21.275Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Javali](https://attack.mitre.org/software/S0528) has been delivered as malicious e-mail attachments.(Citation: Securelist Brazilian Banking Malware July 2020)"; | |
dcterms:modified "2020-11-10T19:09:21.275Z"^^xsd:dateTime . | |
:relationship--8bfac9d6-8d6d-4a2f-9718-4015f231fdae | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f; | |
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384; | |
dcterms:created "2022-03-15T20:02:43.828Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has checked for the presence of antivirus software with <code>powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct</code>.(Citation: KISA Operation Muzabi)"; | |
dcterms:modified "2022-03-15T20:02:43.828Z"^^xsd:dateTime . | |
:relationship--fed23938-8fbc-4b67-8452-f2f413eed291 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2020-06-10T21:56:40.151Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sandworm Team](https://attack.mitre.org/groups/G0034) has avoided detection by naming a malicious binary explorer.exe.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)"; | |
dcterms:modified "2020-11-25T21:00:57.830Z"^^xsd:dateTime . | |
:relationship--40356b61-2279-47ef-b7bd-4b355e2fb98a | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--174279b4-399f-4ddb-966e-5efedd1dd5f2; | |
stix:target_ref :attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735; | |
dcterms:created "2023-07-31T18:41:12.452Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Volt Typhoon](https://attack.mitre.org/groups/G1017) has used multiple methods, including [Ping](https://attack.mitre.org/software/S0097), to enumerate systems on compromised networks.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)"; | |
dcterms:modified "2023-08-03T20:19:25.596Z"^^xsd:dateTime . | |
:relationship--d9416afb-0aeb-4ee3-bd96-dc331f40f37d | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2020-04-30T20:31:37.999Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) has executed <code>file /bin/pwd</code> on exploited victims, perhaps to return architecture related information.(Citation: FireEye APT41 March 2020)"; | |
dcterms:modified "2020-05-01T15:05:46.940Z"^^xsd:dateTime . | |
:relationship--e342ee2b-d7b6-4a48-a689-06a68efe589e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--edc5e045-5401-42bb-ad92-52b5b2ee0de9; | |
stix:target_ref :attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58; | |
dcterms:created "2021-09-30T15:45:56.571Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QakBot](https://attack.mitre.org/software/S0650) can enumerate a list of installed programs.(Citation: Group IB Ransomware September 2020)"; | |
dcterms:modified "2021-09-30T15:45:56.571Z"^^xsd:dateTime . | |
:relationship--774302ff-3ab9-4328-a434-6188efe0928a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f99f3dcc-683f-4936-8791-075ac5e58f10; | |
stix:target_ref :attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783; | |
dcterms:created "2020-05-18T21:01:51.374Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LoudMiner](https://attack.mitre.org/software/S0451) harvested system resources to mine cryptocurrency, using XMRig to mine Monero.(Citation: ESET LoudMiner June 2019)\t"; | |
dcterms:modified "2020-06-29T23:06:26.175Z"^^xsd:dateTime . | |
:relationship--3fbe7146-c706-446c-a3ea-6a0704812835 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8; | |
stix:target_ref :attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b; | |
dcterms:created "2022-03-30T14:26:51.861Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for changes made to files that may execute their own malicious payloads by hijacking vulnerable file path references."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--7b59aa8f-d9d6-4bb5-b2ca-6fc1d36c1550 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f; | |
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670; | |
dcterms:created "2020-12-17T19:40:29.547Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[menuPass](https://attack.mitre.org/groups/G0045) has used native APIs including <code>GetModuleFileName</code>, <code>lstrcat</code>, <code>CreateFile</code>, and <code>ReadFile</code>.(Citation: Symantec Cicada November 2020)"; | |
dcterms:modified "2020-12-29T16:51:25.615Z"^^xsd:dateTime . | |
:relationship--ec5caf8f-0fb8-4c3b-bd31-08804ff2214e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7; | |
stix:target_ref :attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65; | |
dcterms:created "2022-06-10T17:10:42.165Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LAPSUS$](https://attack.mitre.org/groups/G1004) has used compromised credentials to access cloud assets within a target organization.(Citation: MSTIC DEV-0537 Mar 2022)"; | |
dcterms:modified "2022-10-12T12:57:31.067Z"^^xsd:dateTime . | |
:relationship--4467fb1b-60fe-4e13-a32a-8c1f60a66782 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cc4c1287-9c86-4447-810c-744f3880ec37; | |
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077; | |
dcterms:created "2021-01-07T20:28:30.072Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Egregor](https://attack.mitre.org/software/S0554) contains functionality to query the local/system time.(Citation: JoeSecurity Egregor 2020)"; | |
dcterms:modified "2021-01-07T20:28:30.072Z"^^xsd:dateTime . | |
:relationship--6eac5e98-29dd-4dae-8375-b459b87f28c8 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3; | |
stix:target_ref :tool--0a68f1f1-da74-4d28-8d9a-696c082706cc; | |
dcterms:created "2021-03-30T20:16:51.220Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Malwarebytes Higaisa 2020)(Citation: PTSecurity Higaisa 2020)"; | |
dcterms:modified "2021-03-30T20:16:51.220Z"^^xsd:dateTime . | |
:relationship--9d7c40f1-44ad-47ec-9a07-bc3b8f2d2cd1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--925a6c52-5cf0-4fec-99de-b0d6917d8593; | |
stix:target_ref :attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c; | |
dcterms:created "2020-12-07T20:17:08.002Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Crutch](https://attack.mitre.org/software/S0538) has established persistence with a scheduled task impersonating the Outlook item finder.(Citation: ESET Crutch December 2020)"; | |
dcterms:modified "2020-12-07T20:17:08.002Z"^^xsd:dateTime . | |
:relationship--12853add-45f8-4dfb-9d64-af39b1575dcf | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192; | |
stix:target_ref :attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928; | |
dcterms:created "2020-11-25T20:37:53.605Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sandworm Team](https://attack.mitre.org/groups/G0034) has established social media accounts to disseminate victim internal-only documents and other sensitive data.(Citation: US District Court Indictment GRU Unit 74455 October 2020)"; | |
dcterms:modified "2020-11-25T20:37:53.606Z"^^xsd:dateTime . | |
:course-of-action--15437c6d-b998-4a36-be41-4ace3d54d266 | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Vulnerability Scanning"; | |
dcterms:created "2019-06-06T16:47:30.700Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them."; | |
dcterms:modified "2020-07-14T22:22:06.356Z"^^xsd:dateTime . | |
:relationship--85129fbd-3b2f-4cc5-af3d-1d9c1dd8cdab | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--0dcbbf4f-929c-489a-b66b-9b820d3f7f0e; | |
stix:target_ref :attack-pattern--04a5a8ab-3bc8-4c83-95c9-55274a89786d; | |
dcterms:created "2022-07-08T12:42:47.567Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Once adversaries leverage serverless functions as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle. "; | |
dcterms:modified "2022-07-08T12:42:47.567Z"^^xsd:dateTime . | |
:relationship--50cc59f8-6d62-4140-b5c6-40da528a5e13 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--03506554-5f37-4f8f-9ce4-0e9f01a1b484; | |
stix:target_ref :malware--e9e9bfe2-76f4-4870-a2a1-b7af89808613; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Symantec Elderwood Sept 2012)"; | |
dcterms:modified "2021-01-06T19:32:28.397Z"^^xsd:dateTime . | |
:relationship--ed40dd97-0ad0-4501-8f1e-a4bd4625432d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c; | |
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4; | |
dcterms:created "2022-01-05T16:57:22.723Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ZxShell](https://attack.mitre.org/software/S0412) can create a new service for execution.(Citation: Talos ZxShell Oct 2014)"; | |
dcterms:modified "2022-01-05T16:57:22.723Z"^^xsd:dateTime . | |
:relationship--bc70728d-9f56-43df-8580-1d22c829bd14 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--be25c1c0-1590-4219-a3d5-6f31799d1d1b; | |
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670; | |
dcterms:created "2022-09-26T15:21:53.140Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FunnyDream](https://attack.mitre.org/software/S1044) can use Native API for defense evasion, discovery, and collection.(Citation: Bitdefender FunnyDream Campaign November 2020)"; | |
dcterms:modified "2022-09-26T17:46:21.390Z"^^xsd:dateTime . | |
:relationship--7744eff7-6f61-4e1d-a3be-069a417a9ff6 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7; | |
dcterms:created "2022-03-30T14:26:51.865Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. [Domain Fronting](https://attack.mitre.org/techniques/T1090/004) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions."; | |
dcterms:modified "2023-08-28T15:00:07.079Z"^^xsd:dateTime . | |
:relationship--35928199-0073-4000-b2f8-726ab2d41a06 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3; | |
stix:target_ref :attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59; | |
dcterms:created "2020-02-21T20:56:06.721Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”."; | |
dcterms:modified "2020-10-27T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--7ccf3e90-8099-4445-b39f-956d2807189b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f; | |
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ROKRAT](https://attack.mitre.org/software/S0240) can send collected files back over same C2 channel.(Citation: Talos ROKRAT)"; | |
dcterms:modified "2022-03-22T17:21:33.393Z"^^xsd:dateTime . | |
:relationship--14039b88-3e1f-4d21-a0a0-968a15451db1 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--e3388c78-2a8d-47c2-8422-c1398b324462; | |
stix:target_ref :attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65; | |
dcterms:created "2023-02-21T20:48:13.657Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead. "; | |
dcterms:modified "2023-02-22T14:25:00.238Z"^^xsd:dateTime . | |
:relationship--3b81ee4f-c583-477f-b2e4-d1801da7bac8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--54a01db0-9fab-4d5f-8209-53cef8425f4a; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2020-09-24T14:35:41.637Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FatDuke](https://attack.mitre.org/software/S0512) can identify the MAC address on the target computer.(Citation: ESET Dukes October 2019)"; | |
dcterms:modified "2020-10-09T16:08:00.601Z"^^xsd:dateTime . | |
:relationship--496378e6-ab36-4d3b-9ae3-c493a5b56877 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7551188b-8f91-4d34-8350-0d0c57b2b913; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2019-01-29T21:57:39.556Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Elise](https://attack.mitre.org/software/S0081) enumerates processes via the <code>tasklist</code> command.(Citation: Accenture Dragonfish Jan 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--155554a0-2a5b-44e3-9942-562b8b0e30c0 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8; | |
stix:target_ref :attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529; | |
dcterms:created "2023-10-03T03:36:18.645Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor changes made to configuration files that contain settings for logging and defensive tools."; | |
dcterms:modified "2023-10-03T03:36:18.645Z"^^xsd:dateTime . | |
:relationship--9d4aa0d4-b460-4320-8c46-2d6ffbe675af | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f; | |
stix:target_ref :tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b; | |
dcterms:created "2019-04-10T16:16:23.918Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Symantec Elfin Mar 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--bda95df4-bf1d-4a49-b847-cf4f3fd5f51c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5e814485-012d-423d-b769-026bfed0f451; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2021-11-22T17:54:11.265Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HyperBro](https://attack.mitre.org/software/S0398) can be delivered encrypted to a compromised host.(Citation: Trend Micro DRBControl February 2020)"; | |
dcterms:modified "2021-11-22T17:54:11.265Z"^^xsd:dateTime . | |
:attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Custom Cryptographic Protocol"; | |
dcterms:created "2017-05-31T21:30:31.197Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext.\n\nCustom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used.\n\nSome adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors. (Citation: F-Secure Cosmicduke)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--ab27d055-77bb-4a3d-89b2-771e532f7384 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e811ff6a-4cef-4856-a6ae-a7daf9ed39ae; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pasam](https://attack.mitre.org/software/S0208) creates a backdoor through which remote attackers can retrieve lists of files.(Citation: Symantec Pasam May 2012)"; | |
dcterms:modified "2020-02-11T19:38:06.237Z"^^xsd:dateTime . | |
:relationship--630e409c-c874-465c-bbb1-6b7778e2939b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--a7f57cc1-4540-4429-823f-f4e56b8473c9; | |
stix:target_ref :attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082; | |
dcterms:created "2022-08-03T15:23:27.686Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ember Bear](https://attack.mitre.org/groups/G1003) has used stolen certificates from Electrum Technologies GmbH to sign payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )"; | |
dcterms:modified "2022-10-14T16:10:37.172Z"^^xsd:dateTime . | |
:relationship--0a1b48b9-2063-449d-a316-c6760267720f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--be25c1c0-1590-4219-a3d5-6f31799d1d1b; | |
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32; | |
dcterms:created "2022-09-26T13:53:16.527Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FunnyDream](https://attack.mitre.org/software/S1044) has established persistence by running `sc.exe` and by setting the `WSearch` service to run automatically.(Citation: Bitdefender FunnyDream Campaign November 2020)"; | |
dcterms:modified "2022-10-11T12:38:27.953Z"^^xsd:dateTime . | |
:relationship--396edbf6-41b5-4377-90b6-4967c24de7fb | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e48df773-7c95-4a4c-ba70-ea3d15900148; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DownPaper](https://attack.mitre.org/software/S0186) collects the victim host name and serial number, and then sends the information to the C2 server.(Citation: ClearSky Charming Kitten Dec 2017)"; | |
dcterms:modified "2020-03-17T00:54:56.983Z"^^xsd:dateTime . | |
:relationship--3318f441-6593-4a7b-bb7f-53ab15a1a672 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573; | |
stix:target_ref :attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529; | |
dcterms:created "2020-05-11T22:12:28.674Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MESSAGETAP](https://attack.mitre.org/software/S0443) uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. (Citation: FireEye MESSAGETAP October 2019)"; | |
dcterms:modified "2020-06-24T01:43:11.274Z"^^xsd:dateTime . | |
:relationship--27e91ac8-9463-4a7a-8f1f-89abeba1b02d | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c; | |
stix:target_ref :attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0; | |
dcterms:created "2019-10-10T21:54:00.462Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT28](https://attack.mitre.org/groups/G0007) has used the WindowStyle parameter to conceal [PowerShell](https://attack.mitre.org/techniques/T1059/001) windows.(Citation: Palo Alto Sofacy 06-2018) (Citation: McAfee APT28 DDE1 Nov 2017)"; | |
dcterms:modified "2021-02-09T13:46:50.756Z"^^xsd:dateTime . | |
:relationship--ec30b3a9-69b4-4604-9def-db9e904df309 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--76abb3ef-dafd-4762-97cb-a35379429db4; | |
stix:target_ref :attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gazer](https://attack.mitre.org/software/S0168) uses custom encryption for C2 using 3DES and RSA."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--42ab2855-fe9b-4ed2-bef7-db3a9dcf5a89 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--383caaa3-c46a-4f61-b2e3-653eb132f0e7; | |
stix:target_ref :attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f; | |
dcterms:created "2017-05-31T21:33:27.029Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--4806e7c3-c8df-477f-ac3b-819248878a79 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--65ffc206-d7c1-45b3-b543-f6b726e7840d; | |
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bisonal](https://attack.mitre.org/software/S0268)'s dropper creates VBS scripts on the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) "; | |
dcterms:modified "2022-01-27T18:04:46.654Z"^^xsd:dateTime . | |
:relationship--0cf04ae0-bc60-46e8-8cc7-9311e291dc20 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2022-03-30T14:26:51.842Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.\n\nCertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.\n\nAnalytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process.\n\n<h4> Analytic 1 - CertUtil with Decode Argument </h4>\n<code> processes = filter processes where (\n (event_id == \"1\" OR event_id == \"4688\") AND\n exe =”C:\\Windows\\System32\\certutil.exe” AND\n command_line = *decode* )</code>"; | |
dcterms:modified "2023-08-14T19:27:35.862Z"^^xsd:dateTime . | |
:relationship--a3fc552f-e16d-4db7-8bca-d1c273b401f9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--50c44c34-3abb-48ae-9433-a2337de5b0bc; | |
stix:target_ref :attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee; | |
dcterms:created "2023-03-02T18:55:25.411Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BlackCat](https://attack.mitre.org/software/S1068) can use Windows commands such as `fsutil behavior set SymLinkEvaluation R2L:1` to redirect file system access to a different location after gaining access into compromised networks.(Citation: Microsoft BlackCat Jun 2022)"; | |
dcterms:modified "2023-03-02T18:56:42.276Z"^^xsd:dateTime . | |
:relationship--cb727277-5491-422f-ab40-1bd1be973d1e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c; | |
stix:target_ref :attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0; | |
dcterms:created "2022-03-21T16:07:22.479Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ke3chang](https://attack.mitre.org/groups/G0004) has developed custom malware that allowed them to maintain persistence on victim networks.(Citation: Microsoft NICKEL December 2021)"; | |
dcterms:modified "2022-03-21T16:07:22.479Z"^^xsd:dateTime . | |
:attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Run Virtual Instance"; | |
dcterms:created "2020-06-29T15:36:41.535Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3029d06e-7a13-4d17-bad5-ce3198bce2ef | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--50d6688b-0985-4f3d-8cbe-0c796b30703b; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2019-09-27T13:27:07.065Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Fysbis](https://attack.mitre.org/software/S0410) can collect information about running processes.(Citation: Fysbis Dr Web Analysis) "; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--9a66e38c-ea79-4b7b-bf74-555da87d58c3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80; | |
stix:target_ref :attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72; | |
dcterms:created "2020-05-22T18:00:52.264Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT39](https://attack.mitre.org/groups/G0087) has used remote access tools that leverage DNS in communications with C2.(Citation: BitDefender Chafer May 2020)"; | |
dcterms:modified "2023-10-18T16:19:53.784Z"^^xsd:dateTime . | |
:relationship--ff876fa3-e156-4696-91a8-ad8996ace076 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--b5b0e8ae-7436-4951-950a-7b83c4dd3f2c; | |
stix:target_ref :attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c; | |
dcterms:created "2022-03-30T14:26:51.840Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.\nIn AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search) (Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)"; | |
dcterms:modified "2022-03-30T14:26:51.840Z"^^xsd:dateTime . | |
:attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Data from Configuration Repository"; | |
dcterms:created "2020-10-19T23:46:13.931Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--26372fd8-6298-4da6-b412-5fb155f55786 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--77e0ecf7-ca91-4c06-8012-8e728986a87a; | |
stix:target_ref :attack-pattern--2cd950a6-16c4-404a-aa01-044322395107; | |
dcterms:created "2021-06-30T17:12:55.034Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chaes](https://attack.mitre.org/software/S0631) has used Installutill to download content.(Citation: Cybereason Chaes Nov 2020)"; | |
dcterms:modified "2021-06-30T17:12:55.034Z"^^xsd:dateTime . | |
:relationship--720ca7ba-f9c7-48fd-92c3-e65e187fcce4 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa; | |
stix:target_ref :attack-pattern--c9e0c59e-162e-40a4-b8b1-78fab4329ada; | |
dcterms:created "2023-08-19T01:58:31.645Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Review and monitor email and other user communication logs for signs of impersonation, such as suspicious emails (e.g., from known malicious or compromised accounts) or content associated with an adversary's actions on objective (e.g., abnormal monetary transactions)."; | |
dcterms:modified "2023-09-30T19:48:59.637Z"^^xsd:dateTime . | |
:relationship--109c7cc7-fec6-4d86-ae27-087cddb2670c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258; | |
stix:target_ref :malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70; | |
dcterms:created "2019-07-19T16:38:05.473Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)"; | |
dcterms:modified "2021-01-14T19:50:15.459Z"^^xsd:dateTime . | |
:relationship--5db4c540-d95b-4a38-9d05-c21d7c85c9b1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a19c1197-9414-46e3-986f-0f609ff4a46b; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2021-03-01T21:55:30.000Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pysa](https://attack.mitre.org/software/S0583) has used Powershell scripts to deploy its ransomware.(Citation: CERT-FR PYSA April 2020) "; | |
dcterms:modified "2021-03-01T21:55:30.000Z"^^xsd:dateTime . | |
:relationship--962f1bc9-89f8-4fbe-b981-b63cce196cbf | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e; | |
stix:target_ref :tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d; | |
dcterms:created "2021-08-31T13:34:25.490Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: CISA AA21-200A APT40 July 2021)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--02a8db04-60e6-437c-8f1a-12aff6a13c63 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--df9b350b-d4f9-4e79-a826-75cc75fbc1eb; | |
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597; | |
dcterms:created "2022-04-06T20:05:01.789Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[KOCTOPUS](https://attack.mitre.org/software/S0669) has been distributed via spearphishing emails with malicious attachments.(Citation: MalwareBytes LazyScripter Feb 2021)"; | |
dcterms:modified "2022-04-06T20:05:01.789Z"^^xsd:dateTime . | |
:relationship--a6e77d6e-a76d-446c-a8ac-03b48892b7cb | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac; | |
stix:target_ref :attack-pattern--1988cc35-ced8-4dad-b2d1-7628488fa967; | |
dcterms:created "2020-02-20T22:06:41.878Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--35ae6625-8563-493c-8950-1230bd0fd122 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pteranodon](https://attack.mitre.org/software/S0147) can download and execute additional files.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: Symantec Shuckworm January 2022)(Citation: Unit 42 Gamaredon February 2022)"; | |
dcterms:modified "2022-02-21T16:24:52.527Z"^^xsd:dateTime . | |
:relationship--3f8a74a9-55fe-4f9c-bddb-00b715ca3668 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5; | |
stix:target_ref :attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RedLeaves](https://attack.mitre.org/software/S0153) is launched through use of DLL search order hijacking to load a malicious dll.(Citation: FireEye APT10 April 2017)"; | |
dcterms:modified "2020-03-17T02:23:04.232Z"^^xsd:dateTime . | |
:relationship--ec9f39cb-19a2-4134-a16a-ea263e958762 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71; | |
stix:target_ref :attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc; | |
dcterms:created "2020-03-19T22:46:23.486Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Core Security Impacket)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--70613a9f-e8c2-44ba-a238-34acb0b7e5b8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ff41b9b6-4c1d-407b-a7e2-835109c8dbc5; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2022-08-16T19:38:38.722Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Small Sieve](https://attack.mitre.org/software/S1035) has the ability to add itself to `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift` for persistence.(Citation: NCSC GCHQ Small Sieve Jan 2022)"; | |
dcterms:modified "2022-09-30T17:13:10.324Z"^^xsd:dateTime . | |
:relationship--f0eb72f2-a8a1-42b6-a29b-4764a115c4af | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bb82e0b0-6e9c-439f-970a-4c917a74c5f2; | |
stix:target_ref :malware--5d342981-5194-41e7-b33f-8e91998d7d88; | |
dcterms:created "2021-05-26T13:06:18.119Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: BlackBerry CostaRicto November 2020)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a360fa6b-8b36-4401-b717-436badd67476 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c; | |
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--d9af5e2e-3ac5-451a-bc63-c3e26ca6371e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--50c44c34-3abb-48ae-9433-a2337de5b0bc; | |
stix:target_ref :attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac; | |
dcterms:created "2023-03-02T18:46:24.302Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BlackCat](https://attack.mitre.org/software/S1068) has the ability to wipe VM snapshots on compromised networks.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)"; | |
dcterms:modified "2023-03-02T18:46:24.302Z"^^xsd:dateTime . | |
:relationship--612eacfc-8f08-4e9e-a8f8-5461577064a3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--069af411-9b24-4e85-b26c-623d035bbe84; | |
stix:target_ref :attack-pattern--7fd87010-3a00-4da3-b905-410525e8ec44; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Proxysvc](https://attack.mitre.org/software/S0238) uses a batch file to delete itself."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--1307fdab-a09c-4d48-a917-a76ba0113098 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034; | |
stix:target_ref :attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4; | |
dcterms:created "2022-09-02T19:38:55.971Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Earth Lusca](https://attack.mitre.org/groups/G1006) has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH.(Citation: TrendMicro EarthLusca 2022)"; | |
dcterms:modified "2022-09-02T19:38:55.971Z"^^xsd:dateTime . | |
:relationship--d329d311-422b-4144-9212-aa7da4dc273a | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d; | |
stix:target_ref :attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OilRig](https://attack.mitre.org/groups/G0049) has used [RGDoor](https://attack.mitre.org/software/S0258) via Web shell to establish redundant access. The group has also used harvested credentials to gain access to Internet-accessible resources such as Outlook Web Access, which could be used for redundant access."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--29d285b9-7787-4e42-927b-c45277cbeca8 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170; | |
stix:target_ref :attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc; | |
dcterms:created "2022-06-15T18:12:18.351Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for changes to Registry keys (ex: <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default</code>) and associated values that may be malicious attempts to conceal adversary network connection history."; | |
dcterms:modified "2022-06-15T18:12:18.351Z"^^xsd:dateTime . | |
:relationship--01b95067-ba65-48c2-8d2c-342e13007cc8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--91c57ed3-7c32-4c68-b388-7db00cb8dac6; | |
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32; | |
dcterms:created "2023-09-27T19:52:33.697Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[NightClub](https://attack.mitre.org/software/S1090) has created a Windows service named `WmdmPmSp` to establish persistence.(Citation: MoustachedBouncer ESET August 2023)"; | |
dcterms:modified "2023-10-04T18:30:16.700Z"^^xsd:dateTime . | |
:relationship--f661bda3-d524-44b3-aeb0-d8dd8879a569 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can copy files to remote machines.(Citation: FireEye Clandestine Fox)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--71a8ae5e-3a78-49b5-9857-e202d636cedf | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e; | |
stix:target_ref :attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, [APT32](https://attack.mitre.org/groups/G0050) has used a random value to modify the timestamp of the file storing the clientID.(Citation: FireEye APT32 May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)"; | |
dcterms:modified "2020-06-19T20:04:12.444Z"^^xsd:dateTime . | |
:relationship--b6ac2ef7-350d-48ca-9ab9-8a06f9ff84e3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--77e0ecf7-ca91-4c06-8012-8e728986a87a; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2021-08-19T21:57:15.756Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chaes](https://attack.mitre.org/software/S0631) has used HTTP for C2 communications.(Citation: Cybereason Chaes Nov 2020)"; | |
dcterms:modified "2021-08-19T21:57:15.756Z"^^xsd:dateTime . | |
:relationship--4fec4445-7b29-430f-92f0-866f23178777 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--86b92f6c-9c05-4c51-b361-4c7bb13e21a1; | |
stix:target_ref :attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22; | |
dcterms:created "2019-01-31T00:36:41.180Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[KONNI](https://attack.mitre.org/software/S0356) can steal profiles (containing credential information) from Firefox, Chrome, and Opera."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--79c168ca-a22b-4c1b-83d5-04560e044be2 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b; | |
stix:target_ref :attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08; | |
dcterms:created "2021-01-05T15:53:47.915Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) obtained a list of users and their roles from an Exchange server using <code>Get-ManagementRoleAssignment</code>.(Citation: Volexity SolarWinds)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--6b9e7925-876a-49b1-8b42-e789401f2fad | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8; | |
stix:target_ref :attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c; | |
dcterms:created "2020-02-25T19:17:33.770Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:malware--da5880b4-f7da-4869-85f2-e0aba84b8565 | |
rdf:type stix:Malware; | |
rdfs:label "ComRAT"; | |
dcterms:created "2017-05-31T21:33:13.252Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ComRAT](https://attack.mitre.org/software/S0126) is a second stage implant suspected of being a descendant of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). The first version of [ComRAT](https://attack.mitre.org/software/S0126) was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)"; | |
dcterms:modified "2023-03-22T03:30:00.985Z"^^xsd:dateTime . | |
:relationship--4ecf2ecd-ae5a-417b-a6a7-9690fb83a282 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80; | |
stix:target_ref :tool--242f3da3-4425-4d11-8f5c-b842886da966; | |
dcterms:created "2019-02-21T21:12:55.714Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye APT39 Jan 2019)(Citation: Dark Reading APT39 JAN 2019)"; | |
dcterms:modified "2020-05-22T18:17:56.892Z"^^xsd:dateTime . | |
:relationship--6d39de5f-6fbd-43e3-8da8-03a4cbe46656 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2020-05-06T21:01:23.480Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Attor](https://attack.mitre.org/software/S0438)'s dispatcher can modify the Run registry key.(Citation: ESET Attor Oct 2019)"; | |
dcterms:modified "2020-05-06T21:01:23.480Z"^^xsd:dateTime . | |
:relationship--10017b2e-7234-4368-81d7-a4c8b98c26a0 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067; | |
stix:target_ref :attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0; | |
dcterms:created "2020-01-30T17:48:49.736Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Configure browsers or tasks to regularly delete persistent cookies."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--58cb7d29-8633-4f52-a1bc-029b544e5610 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e; | |
stix:target_ref :attack-pattern--ac9e6b22-11bf-45d7-9181-c1cb08360931; | |
dcterms:created "2022-03-30T14:26:51.841Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--8d4a82db-fce4-4dcc-a0d3-8aa14cbf2ee3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0; | |
stix:target_ref :attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4; | |
dcterms:created "2021-10-01T20:57:16.408Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BLUELIGHT](https://attack.mitre.org/software/S0657) can use different cloud providers for its C2.(Citation: Volexity InkySquid BLUELIGHT August 2021)"; | |
dcterms:modified "2021-10-15T16:54:01.579Z"^^xsd:dateTime . | |
:relationship--d078f862-c090-4e79-808b-ff69887a920c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46; | |
stix:target_ref :attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[POWRUNER](https://attack.mitre.org/software/S0184) may query the Registry by running <code>reg query</code> on a victim.(Citation: FireEye APT34 Dec 2017)"; | |
dcterms:modified "2020-03-17T02:14:55.999Z"^^xsd:dateTime . | |
:relationship--0e113a7f-2aba-4dc6-b4fc-4c0f0d013c3d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f72251cb-2be5-421f-a081-99c29a1209e7; | |
stix:target_ref :attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MacSpy](https://attack.mitre.org/software/S0282) uses Tor for command and control.(Citation: objsee mac malware 2017)"; | |
dcterms:modified "2020-01-17T19:50:53.350Z"^^xsd:dateTime . | |
:relationship--3f7f515f-25f9-4afb-becf-6247f4d6ecd2 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5; | |
stix:target_ref :attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d; | |
dcterms:created "2020-03-15T14:59:15.485Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--61347ac0-5e9c-48d1-b7a1-7bb1535941b8 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1; | |
stix:target_ref :attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6; | |
dcterms:created "2022-03-30T14:26:51.850Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--f4e83a18-a2bf-45af-aa6b-18f72646d8b6 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31; | |
stix:target_ref :attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b; | |
dcterms:created "2019-06-21T16:52:53.740Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Specific developer utilities may not be necessary within a given environment and should be removed if not used."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--d336b553-5da9-46ca-98a8-0b23f49fb447 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Windows Credential Manager"; | |
dcterms:created "2020-11-23T15:35:53.793Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)\n\nThe Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.\n\nCredential Lockers store credentials in encrypted `.vcrd` files, located under `%Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\`. The encryption key can be found in a file named <code>Policy.vpol</code>, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)\n\nAdversaries may list credentials managed by the Windows Credential Manager through several mechanisms. <code>vaultcmd.exe</code> is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as <code>CredEnumerateA</code>, may also be absued to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nAdversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running <code>rundll32.exe keymgr.dll KRShowKeyMgr</code> then selecting the “Back up...” button on the “Stored User Names and Passwords” GUI.\n\nPassword recovery tools may also obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)"; | |
dcterms:modified "2022-11-08T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--eed67968-2d71-4394-84a9-1240d9ba6a83 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--50d6688b-0985-4f3d-8cbe-0c796b30703b; | |
stix:target_ref :attack-pattern--e0232cb0-ded5-4c2e-9dc7-2893142a5c11; | |
dcterms:created "2020-11-06T14:23:21.893Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "If executing without root privileges, [Fysbis](https://attack.mitre.org/software/S0410) adds a `.desktop` configuration file to the user's `~/.config/autostart` directory.(Citation: Red Canary Netwire Linux 2022)(Citation: Fysbis Dr Web Analysis)"; | |
dcterms:modified "2023-09-28T21:16:14.858Z"^^xsd:dateTime . | |
:relationship--30da3c92-05b8-40fd-b8b6-29cb20a597a1 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13; | |
stix:target_ref :attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0; | |
dcterms:created "2023-01-10T18:36:35.140Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Magic Hound](https://attack.mitre.org/groups/G0059) has used BitLocker and DiskCryptor to encrypt targeted workstations. (Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)"; | |
dcterms:modified "2023-01-13T18:38:25.309Z"^^xsd:dateTime . | |
:course-of-action--9a902722-cecd-4fbe-a6c9-49333aa0f8c2 | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Remote System Discovery Mitigation"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)"; | |
dcterms:modified "2020-01-17T16:45:23.921Z"^^xsd:dateTime . | |
:relationship--abd5d73c-9eec-494c-afae-d9d2f2456b7b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2021-01-05T20:57:01.724Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) extracted files from compromised networks.(Citation: Volexity SolarWinds) "; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a5ffea60-7694-48cd-92e9-b755669b2fdb | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2017-05-31T21:33:27.080Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can gather the victim's username to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)"; | |
dcterms:modified "2020-06-22T17:54:15.767Z"^^xsd:dateTime . | |
:relationship--f76d5396-bce5-4bb8-85aa-75d9f1bec9b2 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6566aac9-dad8-4332-ae73-20c23bad7f02; | |
stix:target_ref :tool--64764dc6-a032-495f-8250-1e4c06bdc163; | |
dcterms:created "2021-09-28T17:41:13.107Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Kaspersky Ferocious Kitten Jun 2021)"; | |
dcterms:modified "2021-09-28T17:41:13.107Z"^^xsd:dateTime . | |
:relationship--e6f69552-fe0e-4b40-ad20-4410048277e6 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--dc5d1a33-62aa-4a0c-aa8c-589b87beb11e; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ChChes](https://attack.mitre.org/software/S0144) collects its process identifier (PID) on the victim.(Citation: Palo Alto menuPass Feb 2017)"; | |
dcterms:modified "2020-03-17T00:33:19.756Z"^^xsd:dateTime . | |
:relationship--8278fc85-24af-4f8a-9b82-3f233f18f5a6 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3; | |
stix:target_ref :attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mivast](https://attack.mitre.org/software/S0080) communicates over port 80 for C2.(Citation: Symantec Backdoor.Mivast)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--ac5693ea-3d10-47bd-b91b-a65177dd5462 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--40a1b8ec-7295-416c-a6b1-68181d86f120; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2021-04-07T18:07:47.888Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Hildegard](https://attack.mitre.org/software/S0601) has decrypted ELF files with AES.(Citation: Unit 42 Hildegard Malware)"; | |
dcterms:modified "2021-04-07T18:07:47.888Z"^^xsd:dateTime . | |
:relationship--c620753b-17ad-43bd-ace3-f572ebcac644 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--2c5281dd-b5fd-4531-8aea-c1bf8a0f8756; | |
stix:target_ref :attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a; | |
dcterms:created "2022-04-18T13:42:37.506Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AADInternals](https://attack.mitre.org/software/S0677) can steal users’ access tokens via phishing emails containing malicious links.(Citation: AADInternals Documentation)"; | |
dcterms:modified "2022-04-18T20:51:51.590Z"^^xsd:dateTime . | |
:relationship--ce0ff9c3-1e41-4103-8e2d-985d6993d08a | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c; | |
stix:target_ref :attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34; | |
dcterms:created "2022-03-30T14:26:51.841Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor newly constructed .manifest and .local redirection files that do not correlate with software updates."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a6f2748c-49ec-4027-8b29-4fee3128cc2e | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2022-03-30T14:26:51.855Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly constructed files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).\n\nWhile batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\\Windows\\System32 directory tree. There will be only occasional false positives due to administrator actions.\n\nFor Windows, Sysmon Event ID 11 (File create) can be used to track file creation events. This event also provides the Process ID of the process that created the file, which can be correlated with process creation events (e.g., Sysmon Event ID 1) to determine if the file was downloaded from an external network.\n\nFor MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events.\n\n<h4> Analytic 1 : Batch File Write to System32 </h4>\n<code> batch_files = filter files where (\n extension =\".bat\" AND file_path = \"C:\\Windows\\system32*\" ) </code>"; | |
dcterms:modified "2023-08-14T19:32:33.085Z"^^xsd:dateTime . | |
:relationship--e8e6f472-e048-401c-8a2e-5e2effc09040 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--2688b13e-8e71-405a-9c40-0dee94bddf87; | |
stix:target_ref :attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c; | |
dcterms:created "2021-03-03T19:53:18.996Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HAFNIUM](https://attack.mitre.org/groups/G0125) has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: FireEye Exchange Zero Days March 2021)(Citation: Tarrask scheduled task) "; | |
dcterms:modified "2022-10-18T14:48:52.038Z"^^xsd:dateTime . | |
:relationship--7fd0dc68-66b1-482a-b3bd-3037bb0045cb | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06; | |
stix:target_ref :attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d; | |
dcterms:created "2019-06-07T17:41:58.950Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ixeshe](https://attack.mitre.org/software/S0015) sets its own executable file's attributes to hidden.(Citation: Trend Micro IXESHE 2012)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--79b0a6bc-4061-468c-ac1b-eef3dc3fb419 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7; | |
stix:target_ref :attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d; | |
dcterms:created "2020-11-10T16:24:46.955Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Wizard Spider](https://attack.mitre.org/groups/G0102) has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.(Citation: FireEye KEGTAP SINGLEMALT October 2020)"; | |
dcterms:modified "2020-11-10T16:24:46.955Z"^^xsd:dateTime . | |
:relationship--0ce9c0f3-6da9-402c-adc4-a001877e40e6 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3; | |
stix:target_ref :tool--b77b563c-34bb-4fb8-86a3-3694338f7b47; | |
dcterms:created "2022-06-07T17:22:56.787Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: ClearSky Siamesekitten August 2021)"; | |
dcterms:modified "2022-06-07T17:22:56.787Z"^^xsd:dateTime . | |
:relationship--d0162247-12e2-4c0e-8efe-d5c4823e0fcd | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--fa766a65-5136-4ff3-8429-36d08eaa0100; | |
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa; | |
dcterms:created "2021-02-08T23:18:31.892Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BitPaymer](https://attack.mitre.org/software/S0570) can enumerate existing Windows services on the host that are configured to run as LocalSystem.(Citation: Crowdstrike Indrik November 2018)"; | |
dcterms:modified "2021-02-08T23:18:31.892Z"^^xsd:dateTime . | |
:relationship--47214641-972c-4924-828a-3db470553dcb | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6; | |
stix:target_ref :malware--0998045d-f96e-4284-95ce-3c8219707486; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2018-10-23T00:14:20.652Z"^^xsd:dateTime . | |
:relationship--bd62c9fa-b1d4-4fb9-a892-99703e1f794d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--54e8672d-5338-4ad1-954a-a7c986bee530; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2019-01-30T17:48:35.671Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[zwShell](https://attack.mitre.org/software/S0350) can obtain the name of the logged-in user on the victim.(Citation: McAfee Night Dragon)"; | |
dcterms:modified "2021-06-16T15:50:05.283Z"^^xsd:dateTime . | |
:malware--fb261c56-b80e-43a9-8351-c84081e7213d | |
rdf:type stix:Malware; | |
rdfs:label "BACKSPACE"; | |
dcterms:created "2017-05-31T21:32:24.428Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BACKSPACE](https://attack.mitre.org/software/S0031) is a backdoor used by [APT30](https://attack.mitre.org/groups/G0013) that dates back to at least 2005. (Citation: FireEye APT30)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--55307354-c0c5-4fc4-9a31-e0444ce240fe | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67; | |
dcterms:created "2022-03-30T14:26:51.875Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--5967cfeb-4525-44e8-9f92-e5b51fe72308 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cf8df906-179c-4a78-bd6e-6605e30f6624; | |
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FELIXROOT](https://attack.mitre.org/software/S0267) opens a remote shell to execute commands on the infected system."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--59cb4ff6-e1fd-4088-905f-2ade864dabb0 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616; | |
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32; | |
dcterms:created "2020-11-06T18:40:37.995Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can install a new service.(Citation: Cobalt Strike TTPs Dec 2017)"; | |
dcterms:modified "2020-11-06T18:40:37.995Z"^^xsd:dateTime . | |
:relationship--8cfc4444-a2bd-4553-8a26-9018cb561705 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e355fc84-6f3c-4888-8e0a-d7fa9c378532; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2022-09-29T20:01:34.551Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[STARWHALE](https://attack.mitre.org/software/S1037) has relied on victims opening a malicious Excel file for execution.(Citation: DHS CISA AA22-055A MuddyWater February 2022)"; | |
dcterms:modified "2022-10-12T16:18:06.825Z"^^xsd:dateTime . | |
:relationship--7c56287b-94e3-4032-828c-649039a9416d | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db; | |
stix:target_ref :attack-pattern--457c7820-d331-465a-915e-42f85500ccc4; | |
dcterms:created "2019-06-24T11:36:16.293Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these binaries if they are not required for a given system or network to prevent potential misuse by adversaries."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--b94f3018-c2f2-473e-96ee-23889cb018bb | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f; | |
stix:target_ref :attack-pattern--635cbe30-392d-4e27-978e-66774357c762; | |
dcterms:created "2020-01-28T13:50:22.645Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Limit the number of accounts permitted to create other accounts. Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries."; | |
dcterms:modified "2023-07-14T13:42:11.742Z"^^xsd:dateTime . | |
:relationship--a53cd21b-273f-43cf-a7e1-375aee6b66e9 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--49c06d54-9002-491d-9147-8efb537fbd26; | |
stix:target_ref :attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754; | |
dcterms:created "2020-10-19T19:42:19.844Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. (Citation: Cisco IOS Software Integrity Assurance - Credentials Management)"; | |
dcterms:modified "2020-10-22T16:54:59.229Z"^^xsd:dateTime . | |
:x-mitre-data-component--8fb2f315-1aca-4cef-ae0d-8105e1f95985 | |
rdf:type :MitreDataComponent; | |
rdfs:label "Social Media"; | |
dcterms:created "2021-10-20T15:05:19.273Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Established, compromised, or otherwise acquired social media personas"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--66f5e718-f910-487f-852a-98a8d752b0ba | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) has a command to create, set, copy, or delete a specified Registry key or value.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)"; | |
dcterms:modified "2020-07-17T19:22:28.803Z"^^xsd:dateTime . | |
:relationship--c08684c8-8467-4b7f-a9ac-3330cf423261 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e; | |
stix:target_ref :attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926; | |
dcterms:created "2019-01-31T01:07:58.538Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) successfully gained remote access by using pass the ticket.(Citation: Cybereason Cobalt Kitty 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--70749e7d-7d83-4543-8019-593de42b2a49 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c; | |
stix:target_ref :attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3; | |
dcterms:created "2022-03-30T14:26:51.848Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly constructed files that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--aacb14e6-056f-4df4-8b9c-58a36076b1ad | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c; | |
stix:target_ref :attack-pattern--9c99724c-a483-4d60-ad9d-7f004e42e8e8; | |
dcterms:created "2022-03-30T14:26:51.860Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s))."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c5d67c9b-f8de-420a-ad05-3691ca001b64 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce; | |
stix:target_ref :attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c; | |
dcterms:created "2020-08-17T15:22:29.071Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "\n[InvisiMole](https://attack.mitre.org/software/S0260) can disconnect previously connected remote drives.(Citation: ESET InvisiMole June 2018)"; | |
dcterms:modified "2020-08-17T15:22:29.072Z"^^xsd:dateTime . | |
:relationship--72f9bf47-61ac-42c8-acbf-65be7c25af0f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e; | |
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) has infected victims by tricking them into visiting compromised watering hole websites.(Citation: ESET OceanLotus)(Citation: Volexity Ocean Lotus November 2020)"; | |
dcterms:modified "2020-11-24T21:19:49.896Z"^^xsd:dateTime . | |
:relationship--dfb4c7e9-e1af-4716-b658-9cfbadd706dc | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2; | |
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d; | |
dcterms:created "2020-05-18T19:04:37.694Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used C2 infrastructure to receive exfiltrated data.(Citation: Reaqta MuddyWater November 2017)"; | |
dcterms:modified "2020-05-20T20:52:34.280Z"^^xsd:dateTime . | |
:relationship--5543599a-779f-4955-8f3e-99cc92b1e2fc | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6; | |
stix:target_ref :tool--b1595ddd-a783-482a-90e1-8afc8d48467e; | |
dcterms:created "2021-02-25T16:48:06.231Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Unit 42 IronNetInjector February 2021 )"; | |
dcterms:modified "2022-05-20T17:02:59.592Z"^^xsd:dateTime . | |
:relationship--4c6aea43-27ba-4e6a-8907-e5db364a145b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90; | |
stix:target_ref :attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)"; | |
dcterms:modified "2020-06-24T01:27:31.914Z"^^xsd:dateTime . | |
:relationship--f7ed42df-01c4-4441-95ce-68228e157abf | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c; | |
stix:target_ref :attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65; | |
dcterms:created "2022-03-22T16:06:14.344Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ke3chang](https://attack.mitre.org/groups/G0004) has used compromised credentials to sign into victims’ Microsoft 365 accounts.(Citation: Microsoft NICKEL December 2021)"; | |
dcterms:modified "2022-03-22T16:06:14.344Z"^^xsd:dateTime . | |
:relationship--6f884bda-0c39-4d3b-97e3-29ae9099fa45 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c; | |
stix:target_ref :attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Threat Group-3390](https://attack.mitre.org/groups/G0027) has used appcmd.exe to disable logging on a victim server.(Citation: SecureWorks BRONZE UNION June 2017)"; | |
dcterms:modified "2020-03-28T00:30:55.434Z"^^xsd:dateTime . | |
:relationship--b99e218f-942b-4643-b4de-35649d2a4cbd | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ade37ada-14af-4b44-b36c-210eec255d53; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2020-06-19T19:08:40.385Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Valak](https://attack.mitre.org/software/S0476) has the ability to decode and decrypt downloaded files.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)"; | |
dcterms:modified "2020-08-31T14:56:42.782Z"^^xsd:dateTime . | |
:relationship--922cc16d-2242-477b-89db-1ba3d5176e12 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--feb2d7bb-aacb-48df-ad04-ccf41a30cd90; | |
stix:target_ref :attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b; | |
dcterms:created "2020-11-19T18:02:58.494Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has the capability to stop processes and services.(Citation: CISA MAR SLOTHFULMEDIA October 2020)"; | |
dcterms:modified "2020-11-19T18:02:58.494Z"^^xsd:dateTime . | |
:attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "VBA Stomping"; | |
dcterms:created "2020-09-17T12:51:40.845Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a <code>PerformanceCache</code> that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the <code>_VBA_PROJECT</code> stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the <code>_VBA_PROJECT</code> stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--83219112-6e5b-43ea-a7a7-78213f28397f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--90784c1e-4aba-40eb-9adf-7556235e6384; | |
stix:target_ref :attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a; | |
dcterms:created "2021-02-03T18:40:49.321Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Silent Librarian](https://attack.mitre.org/groups/G0122) has established e-mail accounts to receive e-mails forwarded from compromised accounts.(Citation: DOJ Iran Indictments March 2018)"; | |
dcterms:modified "2021-02-03T18:40:49.321Z"^^xsd:dateTime . | |
:relationship--ff9e8d81-dc74-4494-a4aa-54f8039f9ad7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f74a5069-015d-4404-83ad-5ca01056c0dc; | |
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a; | |
dcterms:created "2022-02-02T21:30:09.805Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lizar](https://attack.mitre.org/software/S0681) has encrypted data before sending it to the server.(Citation: BiZone Lizar May 2021)"; | |
dcterms:modified "2022-04-05T17:31:10.185Z"^^xsd:dateTime . | |
:relationship--fb11df98-790a-4b1c-9ca0-73224226cff3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--166c0eca-02fd-424a-92c0-6b5106994d31; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ZLib](https://attack.mitre.org/software/S0086) communicates over HTTP for C2.(Citation: Cylance Dust Storm)"; | |
dcterms:modified "2022-01-19T18:44:09.714Z"^^xsd:dateTime . | |
:relationship--2af3c673-c0c6-4246-aacc-984eb370e7b9 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022; | |
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FIN5](https://attack.mitre.org/groups/G0053) scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016)"; | |
dcterms:modified "2020-03-16T23:51:43.031Z"^^xsd:dateTime . | |
:relationship--ecf3d7ec-a8f9-435a-9c09-6d264f319728 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--4bf5845d-a814-4490-bc5c-ccdee6043025; | |
stix:target_ref :attack-pattern--7d57b371-10c2-45e5-b3cc-83a8fb380e4c; | |
dcterms:created "2020-01-24T14:48:05.786Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--bf0c323f-545c-4bd1-959a-5b1a28d4d06d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2021-10-15T21:00:52.184Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BLUELIGHT](https://attack.mitre.org/software/S0657) can use HTTP/S for C2 using the Microsoft Graph API.(Citation: Volexity InkySquid BLUELIGHT August 2021) "; | |
dcterms:modified "2021-10-15T21:00:52.184Z"^^xsd:dateTime . | |
:relationship--118b2047-826a-4ab0-94b8-69d35a4c8592 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383; | |
stix:target_ref :attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938; | |
dcterms:created "2021-04-22T15:09:14.852Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Darkhotel](https://attack.mitre.org/groups/G0012) has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)"; | |
dcterms:modified "2021-04-22T15:09:14.852Z"^^xsd:dateTime . | |
:relationship--83aac36d-6dfa-4c27-b1b1-c200c9240eb9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8ae43c46-57ef-47d5-a77a-eebb35628db2; | |
stix:target_ref :attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "A [JHUHUGIT](https://attack.mitre.org/software/S0044) variant accesses a screenshot saved in the clipboard and converts it to a JPG image.(Citation: Unit 42 Playbook Dec 2017)"; | |
dcterms:modified "2020-01-17T22:22:30.678Z"^^xsd:dateTime . | |
:relationship--cdbbaa5b-c1d7-4e94-8a0e-a0be60ec377c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a19c1197-9414-46e3-986f-0f609ff4a46b; | |
stix:target_ref :attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b; | |
dcterms:created "2021-03-02T16:42:09.500Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pysa](https://attack.mitre.org/software/S0583) can stop services and processes.(Citation: CERT-FR PYSA April 2020) "; | |
dcterms:modified "2021-03-02T16:42:09.500Z"^^xsd:dateTime . | |
:relationship--dff6f183-3444-474b-8d8a-1eb05e15a986 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317; | |
stix:target_ref :attack-pattern--70d81154-b187-45f9-8ec5-295d01255979; | |
dcterms:created "2020-03-13T11:12:18.712Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--cb37da3b-6ffd-4882-9680-4e467f25d7f4 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e14085cb-0e8d-4be6-92ba-e3b93ee5978f; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2021-10-07T21:28:23.906Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[XCSSET](https://attack.mitre.org/software/S0658) identifies the macOS version and uses <code>ioreg</code> to determine serial number.(Citation: trendmicro xcsset xcode project 2020)"; | |
dcterms:modified "2021-10-19T00:34:13.055Z"^^xsd:dateTime . | |
:relationship--317b8a78-1c04-4cd7-a249-619bacfc7a44 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc; | |
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa; | |
dcterms:created "2019-04-23T16:12:37.562Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) can enumerate service and service permission information.(Citation: GitHub PoshC2)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--be99408a-dc65-41a0-83db-235d8495e55c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ade37ada-14af-4b44-b36c-210eec255d53; | |
stix:target_ref :attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c; | |
dcterms:created "2020-08-31T14:56:42.514Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Valak](https://attack.mitre.org/software/S0476) has returned C2 data as encoded ASCII.(Citation: Unit 42 Valak July 2020)"; | |
dcterms:modified "2020-08-31T14:56:42.514Z"^^xsd:dateTime . | |
:relationship--945a3286-2197-4984-8838-837afcd7925c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8; | |
stix:target_ref :attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bankshot](https://attack.mitre.org/software/S0239) generates a false TLS handshake using a public certificate to disguise C2 network communications.(Citation: US-CERT Bankshot Dec 2017)"; | |
dcterms:modified "2020-03-20T22:38:19.097Z"^^xsd:dateTime . | |
:relationship--5dedb236-b37b-4e6b-bd3d-a09ddc1e9c17 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001; | |
stix:target_ref :attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb; | |
dcterms:created "2021-06-03T18:44:29.898Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3ea6e72b-3d19-4864-aebd-cc31dad7d519 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--222ba512-32d9-49ac-aefd-50ce981ce2ce; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2020-05-21T21:31:34.256Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pony](https://attack.mitre.org/software/S0453) can download additional files onto the infected system.(Citation: Malwarebytes Pony April 2016)\t"; | |
dcterms:modified "2020-05-21T21:31:34.256Z"^^xsd:dateTime . | |
:malware--53a42597-1974-4b8e-84fd-3675e8992053 | |
rdf:type stix:Malware; | |
rdfs:label "NavRAT"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[NavRAT](https://attack.mitre.org/software/S0247) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--238f92b3-2573-4332-b290-4685301eae6d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--58c5a3a1-928f-4094-9e98-a5a4e56dd5f3; | |
stix:target_ref :attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b; | |
dcterms:created "2021-08-23T19:38:33.291Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Avaddon](https://attack.mitre.org/software/S0640) looks for and attempts to stop database processes.(Citation: Arxiv Avaddon Feb 2021)"; | |
dcterms:modified "2021-10-18T20:36:35.439Z"^^xsd:dateTime . | |
:relationship--31bdbd30-4938-48d6-ba95-1b90af01041c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e; | |
stix:target_ref :attack-pattern--29be378d-262d-4e99-b00d-852d573628e6; | |
dcterms:created "2020-05-11T19:44:35.090Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Frankenstein](https://attack.mitre.org/groups/G0101) has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.(Citation: Talos Frankenstein June 2019)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--eda49ac0-3077-4bff-9b30-44f527914e9c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--92b55426-109f-4d93-899f-1833ce91ff90; | |
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mosquito](https://attack.mitre.org/software/S0256) leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.(Citation: ESET Turla Mosquito Jan 2018)"; | |
dcterms:modified "2020-03-20T01:55:35.004Z"^^xsd:dateTime . | |
:relationship--7a58b25f-1736-48c6-90e1-70c49896ed4b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542; | |
stix:target_ref :attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f; | |
dcterms:created "2022-09-28T13:30:53.698Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) has edited the `Microsoft.IdentityServer.Servicehost.exe.config` file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.(Citation: MagicWeb)"; | |
dcterms:modified "2023-03-27T19:41:51.571Z"^^xsd:dateTime . | |
:relationship--6c7c4191-2d75-4ce8-b937-b9abb77d7b5b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--454fe82d-6fd2-4ac6-91ab-28a33fe01369; | |
stix:target_ref :attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011; | |
dcterms:created "2019-04-19T15:30:36.771Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HOPLIGHT](https://attack.mitre.org/software/S0376) has the capability to harvest credentials and passwords from the SAM database.(Citation: US-CERT HOPLIGHT Apr 2019)\t"; | |
dcterms:modified "2020-03-25T16:02:26.468Z"^^xsd:dateTime . | |
:relationship--68e1b510-a985-467a-b3b6-03d5493e9b59 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b; | |
stix:target_ref :attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8; | |
dcterms:created "2021-04-03T18:55:25.871Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Ensure operating systems and browsers are using the most current version. "; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--9da590e3-3447-4401-8ac7-f6c7482e4aed | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317; | |
stix:target_ref :attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf; | |
dcterms:created "2020-02-18T16:48:56.795Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3758634e-bb33-4354-98f3-b662e8e7e83f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c; | |
stix:target_ref :attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d; | |
dcterms:created "2020-04-28T12:47:25.954Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to hide and unhide files.(Citation: Talos PoetRAT April 2020)"; | |
dcterms:modified "2020-04-28T12:47:25.954Z"^^xsd:dateTime . | |
:relationship--8b2af30a-523f-41fe-88c3-ab2ee15bdec5 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80; | |
stix:target_ref :attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0; | |
dcterms:created "2020-05-22T15:43:05.190Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT39](https://attack.mitre.org/groups/G0087) has used the Smartftp Password Decryptor tool to decrypt FTP passwords.(Citation: BitDefender Chafer May 2020)"; | |
dcterms:modified "2023-10-18T16:19:53.783Z"^^xsd:dateTime . | |
:relationship--b29088a3-47cf-4799-a8e5-428472908d06 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--b7f627e2-0817-4cd5-8d50-e75f8aa85cc6; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2023-04-10T17:01:22.574Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LuminousMoth](https://attack.mitre.org/groups/G1014) has used malware that adds Registry keys for persistence.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)"; | |
dcterms:modified "2023-04-10T17:01:22.574Z"^^xsd:dateTime . | |
:relationship--3e5cf341-4707-4de3-bb06-43530ee3e90f | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--afc079f3-c0ea-4096-b75d-3f05338b7f60; | |
stix:target_ref :attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mimikatz](https://attack.mitre.org/software/S0002)'s <code>MISC::AddSid</code> module can appended any SID or user/group account to a user's SID-History. [Mimikatz](https://attack.mitre.org/software/S0002) also utilizes [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.(Citation: Adsecurity Mimikatz Guide)(Citation: AdSecurity Kerberos GT Aug 2015)"; | |
dcterms:modified "2021-02-09T15:10:55.651Z"^^xsd:dateTime . | |
:relationship--c1a8eea8-f273-4dad-8ae0-d5c93bf5467f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--54a73038-1937-4d71-a253-316e76d5413c; | |
stix:target_ref :attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82; | |
dcterms:created "2020-11-16T20:14:25.585Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lucifer](https://attack.mitre.org/software/S0532) can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144).(Citation: Unit 42 Lucifer June 2020)"; | |
dcterms:modified "2020-11-20T17:06:17.941Z"^^xsd:dateTime . | |
:relationship--a48d44d2-a84c-45dc-9a59-2bc21f2f2301 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0; | |
stix:target_ref :attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--667592ad-e249-4efd-933f-75a53b25567a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c113230f-f044-423b-af63-9b63c802f5ae; | |
stix:target_ref :attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9; | |
dcterms:created "2022-06-09T18:40:23.658Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OutSteel](https://attack.mitre.org/software/S1017) can automatically upload collected files to its C2 server.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )"; | |
dcterms:modified "2022-06-09T18:40:23.658Z"^^xsd:dateTime . | |
:relationship--828afc32-9874-40aa-b752-315c7623ffee | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--26fed817-e7bf-41f9-829a-9075ffac45c2; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kasidet](https://attack.mitre.org/software/S0088) creates a Registry Run key to establish persistence.(Citation: Zscaler Kasidet)(Citation: Microsoft Kasidet)"; | |
dcterms:modified "2020-03-16T17:02:26.255Z"^^xsd:dateTime . | |
:relationship--b695f761-40ed-4988-935c-a1cf5e67c8d8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--32f49626-87f4-4d6c-8f59-a0dca953fe26; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2021-01-06T17:58:29.248Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TEARDROP](https://attack.mitre.org/software/S0560) files had names that resembled legitimate Window file and directory names.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)"; | |
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--01292102-1f89-4358-b62c-bc0afd49fc52 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77; | |
stix:target_ref :attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72; | |
dcterms:created "2020-03-17T02:18:35.198Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QUADAGENT](https://attack.mitre.org/software/S0269) uses DNS for C2 communications.(Citation: Unit 42 QUADAGENT July 2018)"; | |
dcterms:modified "2020-03-17T02:18:35.198Z"^^xsd:dateTime . | |
:relationship--8e883c7a-3f13-42f6-8cf5-ce373586487e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3249e92a-870b-426d-8790-ba311c1abfb4; | |
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055; | |
dcterms:created "2019-03-25T15:05:23.719Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Olympic Destroyer](https://attack.mitre.org/software/S0365) uses WMI to help propagate itself across a network.(Citation: Talos Olympic Destroyer 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--b7d36798-e9f2-4474-836e-80b100a561e6 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e; | |
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Leviathan](https://attack.mitre.org/groups/G0065) has used C:\\Windows\\Debug and C:\\Perflogs as staging directories.(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c4c83769-f5e3-4556-85b8-140060c6c0d0 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--d2ff4b56-8351-4ed8-b0fb-d8605366005f; | |
stix:target_ref :attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc; | |
dcterms:created "2022-08-04T00:29:13.276Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic."; | |
dcterms:modified "2022-08-04T00:29:13.276Z"^^xsd:dateTime . | |
:relationship--c07df1c1-3ae1-4974-af37-9c1b04cef14a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e; | |
stix:target_ref :attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Comnie](https://attack.mitre.org/software/S0244) uses Rundll32 to load a malicious DLL.(Citation: Palo Alto Comnie)"; | |
dcterms:modified "2020-03-17T00:43:32.014Z"^^xsd:dateTime . | |
:relationship--c495478b-6bae-4d1e-a43e-be07fe7cdb48 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c; | |
stix:target_ref :attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896; | |
dcterms:created "2021-01-22T21:09:58.863Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has queried Registry keys using <code>reg query \\\\<host>\\HKU\\<SID>\\SOFTWARE\\Microsoft\\Terminal Server Client\\Servers</code> and <code>reg query \\\\<host>\\HKU\\<SID>\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings</code>.(Citation: NCC Group Chimera January 2021)"; | |
dcterms:modified "2021-01-22T21:09:58.863Z"^^xsd:dateTime . | |
:relationship--eb67e50e-84ac-495d-8374-547ef1f34f4f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f; | |
stix:target_ref :attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90; | |
dcterms:created "2020-11-05T15:54:26.041Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has gathered credentials using [Mimikatz](https://attack.mitre.org/software/S0002) and ProcDump.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)"; | |
dcterms:modified "2022-04-12T18:21:23.235Z"^^xsd:dateTime . | |
:relationship--4d6b8bca-ad81-41d6-8b4e-194ddf04d3dd | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5bcd5511-6756-4824-a692-e8bb109364af; | |
stix:target_ref :attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chaos](https://attack.mitre.org/software/S0220) provides a reverse shell connection on 8338/TCP, encrypted via AES.(Citation: Chaos Stolen Backdoor)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--2ff84270-830f-4de8-b93c-4ee3a9a46781 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5c747acd-47f0-4c5a-b9e5-213541fc01e0; | |
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077; | |
dcterms:created "2021-03-12T16:55:09.340Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GoldMax](https://attack.mitre.org/software/S0588) can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) "; | |
dcterms:modified "2021-03-16T16:27:36.037Z"^^xsd:dateTime . | |
:relationship--4b66eefd-8731-4c36-bee3-88e87c9f41d3 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa; | |
stix:target_ref :attack-pattern--e848506b-8484-4410-8017-3d235a52f5b3; | |
dcterms:created "2022-05-27T13:23:37.573Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor logs generated by serverless execution for unusual activity. For example, in Exchange environments emails sent by Power Automate via the Outlook 365 connector include the phrase ‘Power App’ or ‘Power Automate’ in the SMTP header 'x-ms-mail-application.'(Citation: Power Automate Email Exfiltration Controls)"; | |
dcterms:modified "2022-10-19T15:12:33.677Z"^^xsd:dateTime . | |
:relationship--12168524-c6cf-4b8f-b114-7b10b06b8f32 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e355fc84-6f3c-4888-8e0a-d7fa9c378532; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2022-08-18T15:36:13.631Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[STARWHALE](https://attack.mitre.org/software/S1037) can gather the computer name of an infected host.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)"; | |
dcterms:modified "2022-10-14T15:23:17.964Z"^^xsd:dateTime . | |
:relationship--8a97476d-9e53-4212-9179-7afbab0b8915 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba; | |
stix:target_ref :attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c; | |
dcterms:created "2022-06-16T13:08:03.143Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly constructed network connections that may search network shares on computers they have compromised to find files of interest. Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols such as SMB that revolve around network shares."; | |
dcterms:modified "2023-08-11T21:06:28.084Z"^^xsd:dateTime . | |
:relationship--a5f43f22-7157-4e5a-8d08-d700471f1993 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--049ff071-0b3c-4712-95d2-d21c6aa54501; | |
stix:target_ref :attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MURKYTOP](https://attack.mitre.org/software/S0233) has the capability to schedule remote AT jobs.(Citation: FireEye Periscope March 2018)"; | |
dcterms:modified "2020-03-16T16:03:23.842Z"^^xsd:dateTime . | |
:relationship--e1275bcd-0462-4f79-b18f-2132b0bb74ec | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--c88151a5-fe3f-4773-8147-d801587065a4; | |
stix:target_ref :attack-pattern--327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61; | |
dcterms:created "2017-05-31T21:33:27.019Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--ca80e49f-7129-43bc-ad58-5521f03b737c | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b; | |
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--7fbbab0b-8e78-4352-ad0b-ae9a2eeffba5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--36ede314-7db4-4d09-b53d-81bbfbe5f6f8; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2020-06-23T17:59:53.341Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Avenger](https://attack.mitre.org/software/S0473) can identify the domain of the compromised host.(Citation: Trend Micro Tick November 2019)"; | |
dcterms:modified "2020-06-24T01:27:32.649Z"^^xsd:dateTime . | |
:relationship--398a5e5a-b624-4992-b26c-2abb37c9c2db | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--aaf3fa65-8b27-4e68-91de-2b7738fe4c82; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2019-06-18T17:20:43.750Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[JCry](https://attack.mitre.org/software/S0389) has used PowerShell to execute payloads.(Citation: Carbon Black JCry May 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--33162cc2-a800-4d42-89bb-13ac1e75dfce | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--96b08451-b27a-4ff6-893f-790e26393a8e; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sakula](https://attack.mitre.org/software/S0074) has the capability to download files.(Citation: Dell Sakula)"; | |
dcterms:modified "2020-03-17T02:29:53.409Z"^^xsd:dateTime . | |
:relationship--24db980d-90c2-4934-838c-92209ae110f7 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46; | |
stix:target_ref :attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377; | |
dcterms:created "2023-03-14T17:49:22.252Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.(Citation: Microsoft ASR Obfuscation)"; | |
dcterms:modified "2023-03-20T18:27:06.975Z"^^xsd:dateTime . | |
:malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29 | |
rdf:type stix:Malware; | |
rdfs:label "OSX_OCEANLOTUS.D"; | |
dcterms:created "2019-01-30T19:18:19.667Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)"; | |
dcterms:modified "2023-10-12T20:21:08.235Z"^^xsd:dateTime . | |
:relationship--c887c671-d467-45a1-952b-8fd20cd77ec1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--60d50676-459a-47dd-92e9-a827a9fe9c58; | |
stix:target_ref :attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RunningRAT](https://attack.mitre.org/software/S0253) contains code to clear event logs.(Citation: McAfee Gold Dragon)"; | |
dcterms:modified "2020-04-21T23:09:31.596Z"^^xsd:dateTime . | |
:relationship--18b2b3f9-8ed6-44e3-804e-ee0acc3457fb | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c; | |
stix:target_ref :attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d; | |
dcterms:created "2022-03-30T14:26:51.833Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor network traffic for anomalies associated with known AiTM behavior."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--b2e0fa0b-ccc4-4bd9-a981-2aa198491333 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--93289ecf-4d15-4d6b-a9c3-4ab27e145ef4; | |
stix:target_ref :attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e; | |
dcterms:created "2023-05-22T19:45:53.310Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QUIETCANARY](https://attack.mitre.org/software/S1076) has the ability to stage data prior to exfiltration.(Citation: Mandiant Suspected Turla Campaign February 2023)"; | |
dcterms:modified "2023-05-22T19:45:53.310Z"^^xsd:dateTime . | |
:relationship--da542c01-9b62-4e42-9036-809ceb31eb8d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--579607c2-d046-40df-99ab-beb479c37a2a; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2022-05-04T22:33:08.949Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chrommme](https://attack.mitre.org/software/S0667) can collect data from a local system.(Citation: ESET Gelsemium June 2021)"; | |
dcterms:modified "2022-05-04T22:33:08.949Z"^^xsd:dateTime . | |
:relationship--578433f2-d3d3-4434-8b6c-986c14204b92 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--519ee082-8ab6-439b-988f-a8a3f02c8d30; | |
stix:target_ref :attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5; | |
dcterms:created "2023-01-17T21:55:43.672Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [C0018](https://attack.mitre.org/campaigns/C0018), the threat actors transferred the SoftPerfect Network Scanner and other tools to machines in the network using AnyDesk and PDQ Deploy.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)"; | |
dcterms:modified "2023-02-14T16:47:55.127Z"^^xsd:dateTime . | |
:relationship--93f46e6e-cabc-4274-b50e-63bda692d01e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa; | |
stix:target_ref :attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b; | |
dcterms:created "2020-05-06T21:01:23.473Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Attor](https://attack.mitre.org/software/S0438) has used FTP protocol for C2 communication.(Citation: ESET Attor Oct 2019)"; | |
dcterms:modified "2020-05-06T21:01:23.473Z"^^xsd:dateTime . | |
:relationship--a70d8d81-4d88-404c-81f3-c3ddd57d6b69 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0; | |
stix:target_ref :attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba; | |
dcterms:created "2019-06-24T16:04:41.149Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Use multi-factor authentication on remote service logons where possible."; | |
dcterms:modified "2021-10-21T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c3ee174d-fd40-4636-97b2-afe80854f987 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--9ca488bd-9587-48ef-b923-1743523e63b2; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SOUNDBITE](https://attack.mitre.org/software/S0157) is capable of enumerating and manipulating files and directories.(Citation: FireEye APT32 May 2017)"; | |
dcterms:modified "2020-03-17T02:37:58.064Z"^^xsd:dateTime . | |
:relationship--6c56fdb0-d6cc-4a25-aa19-7191410704ef | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a0ab8a96-40c9-4483-8a54-3fafa6d6007a; | |
stix:target_ref :attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0; | |
dcterms:created "2022-03-25T19:30:14.793Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.(Citation: Crowdstrike DriveSlayer February 2022)"; | |
dcterms:modified "2022-04-10T16:24:00.046Z"^^xsd:dateTime . | |
:relationship--52893247-a6d6-4119-881a-09e10121edf5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--dff90475-9f72-41a6-84ed-1fbefd3874c0; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2022-07-25T18:33:20.016Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Heyoka Backdoor](https://attack.mitre.org/software/S1027) can decrypt its payload prior to execution.(Citation: SentinelOne Aoqin Dragon June 2022)"; | |
dcterms:modified "2022-07-25T18:33:20.016Z"^^xsd:dateTime . | |
:relationship--a78310c3-ee57-465a-9983-13c6a7cd1d4f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973; | |
stix:target_ref :attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c; | |
dcterms:created "2022-01-07T16:19:16.847Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Axiom](https://attack.mitre.org/groups/G0001) has targeted victims with remote administration tools including RDP.(Citation: Novetta-Axiom)"; | |
dcterms:modified "2023-03-20T22:03:44.682Z"^^xsd:dateTime . | |
:relationship--3ce884c7-71c5-4f46-b09c-1abb45d8341b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--80a014ba-3fef-4768-990b-37d8bd10d7f4; | |
stix:target_ref :attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b; | |
dcterms:created "2023-06-22T19:57:39.143Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Uroburos](https://attack.mitre.org/software/S0022) can use custom communications protocols that ride over SMTP.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)"; | |
dcterms:modified "2023-06-22T19:57:39.143Z"^^xsd:dateTime . | |
:relationship--65f7704a-358a-464d-b09b-fee5dd96adf3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13; | |
stix:target_ref :attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Magic Hound](https://attack.mitre.org/groups/G0059) malware can take a screenshot and upload the file to its C2 server.(Citation: Unit 42 Magic Hound Feb 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--f993e545-2d09-48c1-9b82-110ab798bdcf | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71; | |
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) compromised legitimate organizations' websites to create watering holes to compromise victims.(Citation: US-CERT TA18-074A)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--e4e36dcb-9c07-4c22-a182-61ac194a434f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e; | |
stix:target_ref :attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Comnie](https://attack.mitre.org/software/S0244) appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.(Citation: Palo Alto Comnie)"; | |
dcterms:modified "2020-03-17T00:43:32.130Z"^^xsd:dateTime . | |
:relationship--8be10d07-69bd-47ae-9dea-5918d1005699 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--52f3d5a6-8a0f-4f82-977e-750abf90d0b0; | |
stix:target_ref :attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298; | |
dcterms:created "2020-01-14T17:23:05.953Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--abd0cc1c-8901-4645-8853-c394ae8c573c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c541efb4-e7b1-4ad6-9da8-b4e113f5dd42; | |
stix:target_ref :attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Proton](https://attack.mitre.org/software/S0279) removes logs from <code>/var/logs</code> and <code>/Library/logs</code>.(Citation: objsee mac malware 2017)"; | |
dcterms:modified "2020-02-18T03:51:27.154Z"^^xsd:dateTime . | |
:relationship--e104cf3c-a802-4e06-8abc-6293cea9492f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[menuPass](https://attack.mitre.org/groups/G0045) uses [PowerSploit](https://attack.mitre.org/software/S0194) to inject shellcode into PowerShell.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Symantec Cicada November 2020)"; | |
dcterms:modified "2023-03-23T15:14:18.649Z"^^xsd:dateTime . | |
:relationship--b16c27b4-f94b-43e4-832d-986c03b96ffd | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317; | |
stix:target_ref :attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6; | |
dcterms:created "2020-02-12T15:05:04.382Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Limit which user accounts are allowed to login via SSH."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3ed38d36-8e7c-4670-aead-cc8c28fc53cc | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a; | |
stix:target_ref :attack-pattern--38eb0c22-6caf-46ce-8869-5964bd735858; | |
dcterms:created "2022-03-30T14:26:51.869Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--1820202b-0994-452a-93e7-ce21496d2ab4 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70; | |
stix:target_ref :attack-pattern--deb98323-e13f-4b0c-8d94-175379069062; | |
dcterms:created "2019-04-23T15:30:03.159Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[China Chopper](https://attack.mitre.org/software/S0020)'s client component is packed with UPX.(Citation: Lee 2013)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--c4221728-ce93-438c-93cd-133b6176abee | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c; | |
stix:target_ref :attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18; | |
dcterms:created "2022-03-30T14:26:51.858Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used."; | |
dcterms:modified "2023-04-15T00:10:04.672Z"^^xsd:dateTime . | |
:relationship--ce378e64-5802-4751-8b8e-d7bf68ce4c6a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--198db886-47af-4f4c-bff5-11b891f85946; | |
stix:target_ref :attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f; | |
dcterms:created "2019-01-29T17:59:44.527Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Zeus Panda](https://attack.mitre.org/software/S0330) can hook GetClipboardData function to watch for clipboard pastes to collect.(Citation: GDATA Zeus Panda June 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--ee5e40d0-f72e-4e0b-8b10-cd5c2057cdc0 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5be33fef-39c0-4532-84ee-bea31e1b5324; | |
stix:target_ref :attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ISMInjector](https://attack.mitre.org/software/S0189) creates scheduled tasks to establish persistence.(Citation: OilRig New Delivery Oct 2017)"; | |
dcterms:modified "2020-03-28T21:35:37.266Z"^^xsd:dateTime . | |
:relationship--43e9c37e-9e57-4130-8510-05c65bfde6f8 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6; | |
stix:target_ref :malware--92b55426-109f-4d93-899f-1833ce91ff90; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)(Citation: Secureworks IRON HUNTER Profile)"; | |
dcterms:modified "2022-02-22T15:46:45.474Z"^^xsd:dateTime . | |
:relationship--37ec750b-c0d2-4b3c-bfd2-b63e4f39b8c5 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c; | |
stix:target_ref :attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433; | |
dcterms:created "2020-12-11T15:33:01.509Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Carbanak](https://attack.mitre.org/groups/G0008)’s Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails. (Citation: Crowdstrike GTR2020 Mar 2020)"; | |
dcterms:modified "2021-10-21T14:00:00.188Z"^^xsd:dateTime . | |
:malware--c26f1c05-b861-4970-94dc-2f7f921a3074 | |
rdf:type stix:Malware; | |
rdfs:label "BoomBox"; | |
dcterms:created "2021-08-03T14:55:46.682Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BoomBox](https://attack.mitre.org/software/S0635) is a downloader responsible for executing next stage components that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--2e0dd10b-676d-4964-acd0-8a404c92b044 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Disabling Security Tools"; | |
dcterms:created "2017-05-31T21:31:07.958Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a8b6a519-2159-46f0-916d-1f7a3d940eea | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3a4197ae-ec63-4162-907b-9a073d1157e4; | |
stix:target_ref :attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c; | |
dcterms:created "2020-09-30T14:52:09.005Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[WellMess](https://attack.mitre.org/software/S0514) can identify domain group membership for the current user.(Citation: CISA WellMess July 2020)"; | |
dcterms:modified "2020-09-30T14:52:09.005Z"^^xsd:dateTime . | |
:relationship--652ba0d5-1bd3-4dcb-93c5-f339ffdae886 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--dd889a55-fb2c-4ec7-8e9f-c399939a49e1; | |
stix:target_ref :attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001; | |
dcterms:created "2022-06-28T14:20:00.423Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[IceApple](https://attack.mitre.org/software/S1022) is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities.(Citation: CrowdStrike IceApple May 2022)"; | |
dcterms:modified "2022-06-28T14:20:00.423Z"^^xsd:dateTime . | |
:relationship--7d72dfaf-3ba5-4420-985c-b0cd16716428 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c26f1c05-b861-4970-94dc-2f7f921a3074; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2021-10-13T15:35:20.829Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BoomBox](https://attack.mitre.org/software/S0635) can search for specific files and directories on a machine.(Citation: MSTIC Nobelium Toolset May 2021)"; | |
dcterms:modified "2021-10-13T15:35:20.829Z"^^xsd:dateTime . | |
:relationship--990d1dde-8b25-4b83-93a0-50533b557b82 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7230ded7-3b1a-4d6e-9735-d0ffd47af9f6; | |
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670; | |
dcterms:created "2023-02-10T18:42:43.813Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SVCReady](https://attack.mitre.org/software/S1064) can use Windows API calls to gather information from an infected host.(Citation: HP SVCReady Jun 2022)"; | |
dcterms:modified "2023-02-10T18:42:43.813Z"^^xsd:dateTime . | |
:relationship--f54cba45-e641-49e0-b015-b5f6f8a05002 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--432555de-63bf-4f2a-a3fa-f720a4561078; | |
stix:target_ref :attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b; | |
dcterms:created "2019-05-30T17:23:30.514Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FlawedAmmyy](https://attack.mitre.org/software/S0381) enumerates the privilege level of the victim during the initial infection.(Citation: Proofpoint TA505 Mar 2018)(Citation: Korean FSI TA505 2020)"; | |
dcterms:modified "2022-10-13T16:54:26.083Z"^^xsd:dateTime . | |
:relationship--59945377-5b77-4267-ae36-9feebccc42f3 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--a7b5df47-73bb-4d47-b701-869f185633a6; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2022-03-25T14:32:35.653Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Donut](https://attack.mitre.org/software/S0695) includes subprojects that enumerate and identify information about [Process Injection](https://attack.mitre.org/techniques/T1055) candidates.(Citation: Donut Github)\t"; | |
dcterms:modified "2022-03-25T14:32:35.653Z"^^xsd:dateTime . | |
:relationship--9ee2a9f3-9174-4927-8561-56d5c6723b9e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TURNEDUP](https://attack.mitre.org/software/S0199) is capable of gathering system information.(Citation: FireEye APT33 Sept 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--5239c6fe-bb67-48c0-bd77-2267e1e71cf3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2020-07-16T15:10:35.341Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bonadan](https://attack.mitre.org/software/S0486) can find the external IP address of the infected host.(Citation: ESET ForSSHe December 2018)"; | |
dcterms:modified "2020-07-16T15:10:35.341Z"^^xsd:dateTime . | |
:relationship--982d9af7-45bb-4cc0-9819-aaadb3304783 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--251fbae2-78f6-4de7-84f6-194c727a64ad; | |
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lurid](https://attack.mitre.org/software/S0010) can compress data before sending it.(Citation: Villeneuve 2011)"; | |
dcterms:modified "2020-03-30T02:28:58.614Z"^^xsd:dateTime . | |
:relationship--9c97e0aa-61fd-4f42-881f-763a1b03c16b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e; | |
stix:target_ref :tool--5a63f900-5e7e-4928-a746-dd4558e1df71; | |
dcterms:created "2019-01-31T01:07:58.791Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Cybereason Cobalt Kitty 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--9ce9ab1f-b4fa-41e7-8302-11c30f918001 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317; | |
stix:target_ref :attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1; | |
dcterms:created "2020-06-09T15:33:13.725Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)"; | |
dcterms:modified "2021-02-09T13:34:39.997Z"^^xsd:dateTime . | |
:attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Protocol Tunneling"; | |
dcterms:created "2020-03-15T16:03:39.082Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. "; | |
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--e3a516b0-fa02-43dc-8247-0545a53693b1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--77e0ecf7-ca91-4c06-8012-8e728986a87a; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2021-06-30T16:13:40.671Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chaes](https://attack.mitre.org/software/S0631) can download additional files onto an infected machine.(Citation: Cybereason Chaes Nov 2020)"; | |
dcterms:modified "2021-08-19T21:57:15.981Z"^^xsd:dateTime . | |
:relationship--74dcdf15-ebdf-4faa-8316-cbf1429a8cea | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d; | |
stix:target_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616; | |
dcterms:created "2022-10-13T16:08:14.749Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: NCC Group TA505)"; | |
dcterms:modified "2022-10-13T16:08:14.749Z"^^xsd:dateTime . | |
:relationship--696c0ce2-7829-4d95-baab-ae64db59c62a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5633ffd3-81ef-4f98-8f93-4896b03998f0; | |
stix:target_ref :attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0; | |
dcterms:created "2022-08-11T22:39:33.911Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DCSrv](https://attack.mitre.org/software/S1033) has encrypted drives using the core encryption mechanism from DiskCryptor.(Citation: Checkpoint MosesStaff Nov 2021)"; | |
dcterms:modified "2022-10-11T20:01:04.431Z"^^xsd:dateTime . | |
:relationship--e4153cab-6566-4a84-8d97-31afe694ccf3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871; | |
stix:target_ref :attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2; | |
dcterms:created "2020-11-18T17:17:06.494Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Operation Wocao](https://attack.mitre.org/groups/G0116) has deleted Windows Event Logs to hinder forensic investigation.(Citation: FoxIT Wocao December 2019)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--e925337d-e878-48ad-a53c-3a3f4656849e | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c; | |
stix:target_ref :attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49; | |
dcterms:created "2021-01-22T19:53:33.345Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.(Citation: NCC Group Chimera January 2021)"; | |
dcterms:modified "2021-01-22T19:53:33.345Z"^^xsd:dateTime . | |
:attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Fileless Storage"; | |
dcterms:created "2023-03-23T19:55:25.546Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.\n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) "; | |
dcterms:modified "2023-10-31T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Data from Removable Media"; | |
dcterms:created "2017-05-31T21:30:31.584Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--9ee6eb40-881c-4928-a036-58a8df0e8f95 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0c52f5bc-557d-4083-bd27-66d7cdb794bb; | |
stix:target_ref :attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18; | |
dcterms:created "2023-09-18T19:30:39.800Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sardonic](https://attack.mitre.org/software/S1085) has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.(Citation: Bitdefender Sardonic Aug 2021)"; | |
dcterms:modified "2023-10-03T16:39:57.265Z"^^xsd:dateTime . | |
:relationship--f229e2fb-3105-4ae5-abe1-d100209f702c | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--7bb5fae9-53ad-4424-866b-f0ea2a8b731d; | |
stix:target_ref :attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea; | |
dcterms:created "2020-03-14T23:19:38.129Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--885a3674-5a25-42e4-aa7f-148a41493861 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7724581b-06ff-4d2b-b77c-80dc8d53070b; | |
stix:target_ref :attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391; | |
dcterms:created "2022-06-09T20:47:17.474Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Saint Bot](https://attack.mitre.org/software/S1018) has used `is_debugger_present` as part of its environmental checks.(Citation: Malwarebytes Saint Bot April 2021)"; | |
dcterms:modified "2022-06-09T20:47:17.474Z"^^xsd:dateTime . | |
:relationship--f6242361-3056-49da-8e2a-82e1e893b039 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--16e07530-764b-4d83-bae0-cdbfc31bf21d; | |
stix:target_ref :attack-pattern--144e007b-e638-431d-a894-45d90c54ab90; | |
dcterms:created "2022-03-30T14:26:51.856Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the deletion of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--346d9aa5-2d93-4843-a219-e0cb79bf6362 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--99854cc8-f202-4e03-aa0a-4f8a4af93229; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2022-06-13T15:51:01.115Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Shark](https://attack.mitre.org/software/S1019) has the ability to use `CMD` to execute commands.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)"; | |
dcterms:modified "2022-06-16T15:12:20.485Z"^^xsd:dateTime . | |
:relationship--39556624-1c45-4178-bfa4-7a20b254df7e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4b072c90-bc7a-432b-940e-016fc1c01761; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Keydnap](https://attack.mitre.org/software/S0276) uses HTTPS for command and control.(Citation: synack 2016 review)"; | |
dcterms:modified "2020-03-17T01:40:25.106Z"^^xsd:dateTime . | |
:relationship--5eac9edf-ec42-4ad9-846e-e36b533fd257 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4; | |
stix:target_ref :attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2; | |
dcterms:created "2020-02-11T18:58:11.872Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--0705be49-4ad2-4b50-a024-e8b79b53a1ab | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8fc6c9e7-a162-4ca4-a488-f1819e9a7b06; | |
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c; | |
dcterms:created "2019-06-18T18:40:33.826Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SQLRat](https://attack.mitre.org/software/S0390) has used been observed deleting scripts once used.(Citation: Flashpoint FIN 7 March 2019)\t"; | |
dcterms:modified "2020-01-29T17:32:00.070Z"^^xsd:dateTime . | |
:relationship--b942cd55-6fed-49a1-ba05-af23836b518f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616; | |
stix:target_ref :attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can exploit vulnerabilities such as MS14-058.(Citation: Cobalt Strike TTPs Dec 2017)"; | |
dcterms:modified "2021-04-29T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--888cad71-2275-4ca6-a154-f297f972487c | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96; | |
stix:target_ref :attack-pattern--40597f16-0963-4249-bf4c-ac93b7fb9807; | |
dcterms:created "2020-03-09T12:51:45.634Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--352953e9-c1ca-4d25-84b6-eb05a012b2e9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f; | |
stix:target_ref :attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ROKRAT](https://attack.mitre.org/software/S0240) can steal credentials stored in Web browsers by querying the sqlite database.(Citation: Talos Group123)"; | |
dcterms:modified "2022-03-22T17:21:33.390Z"^^xsd:dateTime . | |
:relationship--471ac6a2-4e6b-4267-8087-c22c707bbc21 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e; | |
stix:target_ref :attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f; | |
dcterms:created "2022-03-30T14:26:51.837Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--75f47e28-75dd-4471-8d00-ed4a2c4d3328 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--b45747dc-87ca-4597-a245-7e16a61bc491; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2019-01-30T15:27:06.732Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Seasalt](https://attack.mitre.org/software/S0345) has a command to download additional files.(Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1 Appendix)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--542bb806-3e73-42f5-8a3e-86b498093f4b | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--0a68f1f1-da74-4d28-8d9a-696c082706cc; | |
stix:target_ref :attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[certutil](https://attack.mitre.org/software/S0160) can be used to install browser root certificates as a precursor to performing [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) between connections to banking websites. Example command: <code>certutil -addstore -f -user ROOT ProgramData\\cert512121.der</code>.(Citation: Palo Alto Retefe)"; | |
dcterms:modified "2021-08-16T17:50:50.467Z"^^xsd:dateTime . | |
:malware--f74a5069-015d-4404-83ad-5ca01056c0dc | |
rdf:type stix:Malware; | |
rdfs:label "Lizar"; | |
dcterms:created "2022-02-02T21:05:48.601Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lizar](https://attack.mitre.org/software/S0681) is a modular remote access tool written using the .NET Framework that shares structural similarities to [Carbanak](https://attack.mitre.org/software/S0030). It has likely been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least February 2021.(Citation: BiZone Lizar May 2021)(Citation: Threatpost Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)"; | |
dcterms:modified "2022-04-15T11:40:31.460Z"^^xsd:dateTime . | |
:relationship--abef99ab-d0a5-4c9f-9011-c79bfabccd5e | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5; | |
stix:target_ref :attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0; | |
dcterms:created "2022-03-30T14:26:51.856Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE”.\n\nCheck and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.(Citation: Polyglot Files: a Hacker’s best friend) In Linux, the <code>file</code> command may be used to check the file signature.(Citation: file_sig_table)"; | |
dcterms:modified "2023-04-11T22:45:18.232Z"^^xsd:dateTime . | |
:relationship--5f8f4204-228c-49d3-8ec6-863b13038001 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--4b57c098-f043-4da2-83ef-7588a6d426bc; | |
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4; | |
dcterms:created "2019-04-23T13:43:22.923Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PoshC2](https://attack.mitre.org/software/S0378) has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.(Citation: GitHub PoshC2)"; | |
dcterms:modified "2020-03-16T17:31:49.404Z"^^xsd:dateTime . | |
:relationship--e69ac347-8b74-4fcc-8b13-17d7a1b04339 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8c1d01ff-fdc0-4586-99bd-c248e0761af5; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2021-03-02T13:57:47.577Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kerrdown](https://attack.mitre.org/software/S0585) has gained execution through victims opening malicious files.(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Unit 42 KerrDown February 2019)"; | |
dcterms:modified "2021-10-01T17:13:49.115Z"^^xsd:dateTime . | |
:relationship--31d1ec86-7f70-48b7-b44f-c1403f5f2c19 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170; | |
stix:target_ref :attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83; | |
dcterms:created "2022-03-30T14:26:51.834Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for changes to windows registry keys and/or values that may establish persistence and/or elevate privileges by executing malicious content triggered by application shims."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--1d65c2d6-6f59-40e4-af56-83ad4d9efea8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--bdb27a1d-1844-42f1-a0c0-826027ae0326; | |
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4; | |
dcterms:created "2019-05-02T01:07:36.957Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Revenge RAT](https://attack.mitre.org/software/S0379) has a plugin for keylogging.(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)"; | |
dcterms:modified "2020-03-16T17:43:04.989Z"^^xsd:dateTime . | |
:relationship--0bc4d3d8-8018-4e0a-a365-ebef543e1222 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8; | |
stix:target_ref :attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88; | |
dcterms:created "2022-03-25T15:24:08.781Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BlackTech](https://attack.mitre.org/groups/G0098) has used the SNScan tool to find other potential targets on victim networks.(Citation: Symantec Palmerworm Sep 2020)"; | |
dcterms:modified "2022-03-25T15:24:08.781Z"^^xsd:dateTime . | |
:relationship--40ac660a-5f6d-4cac-8518-bb8dff6933ea | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--77e0ecf7-ca91-4c06-8012-8e728986a87a; | |
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67; | |
dcterms:created "2021-06-30T16:13:40.669Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chaes](https://attack.mitre.org/software/S0631) has used VBscript to execute malicious code.(Citation: Cybereason Chaes Nov 2020) "; | |
dcterms:modified "2021-08-20T22:18:06.584Z"^^xsd:dateTime . | |
:relationship--670f37e1-8de3-441e-bc09-ff95c09ee14d | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--bc0f5e80-91c0-4e04-9fbb-e4e332c85dae; | |
stix:target_ref :attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db; | |
dcterms:created "2020-03-16T14:12:48.061Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--66647c20-2d76-4711-9eee-07d932e75851 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb; | |
stix:target_ref :attack-pattern--83a766f8-1501-4b3a-a2de-2e2849e8dfc1; | |
dcterms:created "2020-03-27T21:14:03.099Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT12](https://attack.mitre.org/groups/G0005) has used multiple variants of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.(Citation: Meyers Numbered Panda)"; | |
dcterms:modified "2020-03-27T21:14:03.099Z"^^xsd:dateTime . | |
:relationship--088ed15f-46da-4b32-a182-68553c61f09b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--32066e94-3112-48ca-b9eb-ba2b59d2f023; | |
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a; | |
dcterms:created "2019-04-01T15:06:38.851Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Emotet](https://attack.mitre.org/software/S0367) has been observed encrypting the data it collects before sending it to the C2 server. (Citation: Fortinet Emotet May 2017)"; | |
dcterms:modified "2020-03-30T02:52:04.537Z"^^xsd:dateTime . | |
:relationship--cfe2a359-bbab-4520-bdd7-b2d6abf742cc | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c; | |
stix:target_ref :malware--59a97b15-8189-4d51-9404-e1ce8ea4a069; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: XAgentOSX 2017)(Citation: Symantec APT28 Oct 2018)(Citation: US District Court Indictment GRU Oct 2018)"; | |
dcterms:modified "2020-10-01T18:55:45.528Z"^^xsd:dateTime . | |
:relationship--cf6c50a3-1de8-4fb4-8e8f-0a28b642824c | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1; | |
dcterms:created "2022-03-30T14:26:51.864Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor executed commands and arguments that may abuse Python commands and scripts for execution."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--a4ba7046-2937-4c08-a479-3dd59deba534 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--245075bc-f992-4d89-af8c-834c53d403f4; | |
stix:target_ref :attack-pattern--cc1e737c-236c-4e3b-83ba-32039a626ef8; | |
dcterms:created "2019-04-24T17:03:39.751Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--dc25eff7-fbfe-48a0-aeb7-ae8d92e75978 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b; | |
stix:target_ref :attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c; | |
dcterms:created "2021-01-05T15:53:47.938Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.(Citation: Volexity SolarWinds)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee | |
rdf:type stix:Malware; | |
rdfs:label "CosmicDuke"; | |
dcterms:created "2017-05-31T21:32:36.550Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[CosmicDuke](https://attack.mitre.org/software/S0050) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. (Citation: F-Secure The Dukes)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--40dc38ff-1daf-4c3b-823d-377ae4d3a505 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--65ffc206-d7c1-45b3-b543-f6b726e7840d; | |
stix:target_ref :attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d; | |
dcterms:created "2022-04-13T18:50:06.009Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bisonal](https://attack.mitre.org/software/S0268) has been loaded through a `.wll` extension added to the ` %APPDATA%\\microsoft\\word\\startup\\` repository.(Citation: Talos Bisonal Mar 2020) "; | |
dcterms:modified "2022-04-18T18:11:57.931Z"^^xsd:dateTime . | |
:relationship--7a980213-1df8-481f-af86-ed105781c573 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--1b3b8f96-43b1-4460-8e02-1f53d7802fb9; | |
stix:target_ref :attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db; | |
dcterms:created "2023-09-28T13:24:54.791Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pacu](https://attack.mitre.org/software/S1091) can enumerate AWS services, such as CloudTrail and CloudWatch.(Citation: GitHub Pacu)"; | |
dcterms:modified "2023-10-13T16:33:31.813Z"^^xsd:dateTime . | |
:relationship--eeb5eeab-3fa1-4670-a7ab-f6a8f7193be9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--1fefb062-feda-484a-8f10-0cebf65e20e3; | |
stix:target_ref :attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643; | |
dcterms:created "2023-09-26T20:53:11.604Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SharpDisco](https://attack.mitre.org/software/S1089) has dropped a plugin to monitor external drives to `C:\\Users\\Public\\It3.exe`.(Citation: MoustachedBouncer ESET August 2023)"; | |
dcterms:modified "2023-09-26T20:53:11.604Z"^^xsd:dateTime . | |
:relationship--3811b12a-fcfc-47d2-83ec-89df60ca4c21 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f0fc920e-57a3-4af5-89be-9ea594c8b1ea; | |
stix:target_ref :attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916; | |
dcterms:created "2020-06-24T15:36:00.917Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BBK](https://attack.mitre.org/software/S0470) can extract a malicious Portable Executable (PE) from a photo.(Citation: Trend Micro Tick November 2019)"; | |
dcterms:modified "2020-06-24T15:36:00.917Z"^^xsd:dateTime . | |
:attack-pattern--5909f20f-3c39-4795-be06-ef1ea40d350b | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Defacement"; | |
dcterms:created "2019-04-08T17:51:41.390Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages. \n"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:malware--198db886-47af-4f4c-bff5-11b891f85946 | |
rdf:type stix:Malware; | |
rdfs:label "Zeus Panda"; | |
dcterms:created "2019-01-29T17:59:43.600Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)"; | |
dcterms:modified "2023-03-22T05:47:42.436Z"^^xsd:dateTime . | |
:relationship--100f4917-1702-4707-bd9f-58d471e77018 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--bfd2738c-8b43-43c3-bc9f-d523c8e88bf4; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[More_eggs](https://attack.mitre.org/software/S0284) has the capability to gather the OS version and computer name.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--77def9ad-52ea-44c0-b800-42b17323a985 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--da04ac30-27da-4959-a67d-450ce47d9470; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2022-08-02T15:41:00.445Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QuasarRAT](https://attack.mitre.org/software/S0262) can retrieve files from compromised client machines.(Citation: CISA AR18-352A Quasar RAT December 2018)"; | |
dcterms:modified "2022-08-02T15:41:00.445Z"^^xsd:dateTime . | |
:relationship--dc7e8f00-d57c-4cfd-971c-510ede375c2f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616; | |
stix:target_ref :attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011; | |
dcterms:created "2020-11-06T18:40:38.194Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can recover hashed passwords.(Citation: cobaltstrike manual)"; | |
dcterms:modified "2022-02-25T18:58:15.241Z"^^xsd:dateTime . | |
:relationship--4b4fadc1-a402-4d56-9e4f-8c76b03def23 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a; | |
dcterms:created "2022-03-30T14:26:51.843Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor executed commands and arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), auditpol, `sc stop EventLog`, <code>reg add</code>, <code>Set- or Stop-Service</code>, <code>Set- or New-ItemProperty</code>, <code>sc config</code>, \nand offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and Invoke-Phant0m) may be used to clear logs and/or change the EventLog/audit policy.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering)(Citation: disable_win_evt_logging) "; | |
dcterms:modified "2023-03-17T23:39:12.351Z"^^xsd:dateTime . | |
:relationship--a714680b-edab-459c-bb8f-cc313cfc4372 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21; | |
dcterms:created "2022-03-30T14:26:51.859Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor newly executed processes that may abuse Microsoft Office templates to obtain persistence on a compromised system."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--7ce7aa48-afa9-4eb6-8bc2-8f04fd6cf00e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2022-02-18T16:37:20.194Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pteranodon](https://attack.mitre.org/software/S0147) can decrypt encrypted data strings prior to using them.(Citation: Microsoft Actinium February 2022)"; | |
dcterms:modified "2022-02-18T16:37:20.194Z"^^xsd:dateTime . | |
:relationship--5ade424d-5a9d-4209-8aa4-a129783ffaa3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12; | |
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dark Caracal](https://attack.mitre.org/groups/G0070) leveraged a watering hole to serve up malicious code.(Citation: Lookout Dark Caracal Jan 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--75560ec3-23f7-49e1-9dde-38f51db8b2b1 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2021-01-05T22:07:13.832Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) used encoded PowerShell commands.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--db61e886-9295-4df7-a9db-25d7b9879b82 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce; | |
stix:target_ref :attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179; | |
dcterms:created "2020-08-17T12:57:12.103Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) can use a .lnk shortcut for the Control Panel to establish persistence.(Citation: ESET InvisiMole June 2020)"; | |
dcterms:modified "2020-08-18T13:13:32.120Z"^^xsd:dateTime . | |
:relationship--1b1a7abf-72bc-44fa-8f90-4321003f0553 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c009560a-f097-45a3-8f9f-78ec1440a783; | |
stix:target_ref :attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c; | |
dcterms:created "2023-03-29T15:55:54.119Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SysUpdate](https://attack.mitre.org/software/S0663) has used Base64 to encode its C2 traffic.(Citation: Lunghi Iron Tiger Linux) "; | |
dcterms:modified "2023-03-29T15:55:54.119Z"^^xsd:dateTime . | |
:relationship--778765e1-7eb6-46b1-a370-6dfe09081ee3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321; | |
stix:target_ref :attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688; | |
dcterms:created "2019-05-24T17:57:36.629Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Silence](https://attack.mitre.org/groups/G0091) can capture victim screen activity.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)"; | |
dcterms:modified "2020-05-06T03:12:02.277Z"^^xsd:dateTime . | |
:relationship--4f8c284a-faa2-4f58-be3b-e27f6ed84423 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--bdee9574-7479-4073-a7dc-e86d8acd073a; | |
stix:target_ref :attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584; | |
dcterms:created "2022-05-12T18:22:42.472Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MacMa](https://attack.mitre.org/software/S1016) installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, [MacMa](https://attack.mitre.org/software/S1016) is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the [MacMa](https://attack.mitre.org/software/S1016) only runs when there is a logged in GUI user.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)"; | |
dcterms:modified "2022-10-20T19:58:20.264Z"^^xsd:dateTime . | |
:attack-pattern--2892b9ee-ca9f-4723-b332-0dc6e843a8ae | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Screensaver"; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\\Windows\\System32\\</code>, and <code>C:\\Windows\\sysWOW64\\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations. \n\nThe following screensaver settings are stored in the Registry (<code>HKCU\\Control Panel\\Desktop\\</code>) and could be manipulated to achieve persistence:\n\n* <code>SCRNSAVE.exe</code> - set to malicious PE path\n* <code>ScreenSaveActive</code> - set to '1' to enable the screensaver\n* <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock\n* <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--eb8bc00c-91f6-434e-bfdb-ecb72c5e4391 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c; | |
stix:target_ref :attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7; | |
dcterms:created "2022-03-30T14:26:51.835Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "BITS runs as a service and its status can be checked with the Sc query utility (<code>sc query bits</code>).(Citation: Microsoft Issues with BITS July 2011)"; | |
dcterms:modified "2022-03-30T14:26:51.835Z"^^xsd:dateTime . | |
:relationship--ae3be82b-3d54-4be8-939b-e074a2cea170 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Misdat](https://attack.mitre.org/software/S0083) is capable of downloading files from the C2.(Citation: Cylance Dust Storm)"; | |
dcterms:modified "2022-01-19T21:13:03.951Z"^^xsd:dateTime . | |
:relationship--748cd538-d2a0-470c-b6fb-68e73b8069b1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0945a1a5-a79a-47c8-9079-10c16cdfcb5d; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2023-01-11T21:35:37.079Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AvosLocker](https://attack.mitre.org/software/S1053) has deobfuscated XOR-encoded strings.(Citation: Malwarebytes AvosLocker Jul 2021)"; | |
dcterms:modified "2023-02-15T16:32:51.978Z"^^xsd:dateTime . | |
:relationship--4e39da36-f7e0-4e26-b354-ca34fb801e33 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--aea6d6b8-d832-4c90-a1bb-f52c6684db6c; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2022-06-07T18:05:19.253Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Milan](https://attack.mitre.org/software/S1015) has received files from C2 and stored them in log folders beginning with the character sequence `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021)"; | |
dcterms:modified "2022-06-07T18:05:19.253Z"^^xsd:dateTime . | |
:relationship--94cbcde4-3323-41ba-948c-95f798d39a89 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--63686509-069b-4143-99ea-4e59cad6cb2a; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2022-01-10T19:52:49.183Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DarkWatchman](https://attack.mitre.org/software/S0673) uses HTTPS for command and control.(Citation: Prevailion DarkWatchman 2021)"; | |
dcterms:modified "2022-01-11T16:03:19.251Z"^^xsd:dateTime . | |
:relationship--c8470c56-2c81-4826-804c-44e53d87333f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3; | |
stix:target_ref :attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475; | |
dcterms:created "2022-06-16T13:32:04.610Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HEXANE](https://attack.mitre.org/groups/G1001) has used [netstat](https://attack.mitre.org/software/S0104) to monitor connections to specific ports.(Citation: Kaspersky Lyceum October 2021)"; | |
dcterms:modified "2022-08-31T14:51:30.431Z"^^xsd:dateTime . | |
:relationship--319189e0-9db0-46f8-9386-0d909db94a46 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) used batch scripts to enumerate network information, including information about trusts, zones, and the domain.(Citation: US-CERT TA18-074A)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3b86d8fe-5677-4516-bf77-898e4da6171f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258; | |
stix:target_ref :malware--b42378e0-f147-496f-992a-26a49705395b; | |
dcterms:created "2019-07-19T16:38:05.420Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)"; | |
dcterms:modified "2021-01-13T21:20:49.108Z"^^xsd:dateTime . | |
:relationship--eefcbce1-d2b4-40cb-a07d-7735b256c868 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd; | |
stix:target_ref :attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4; | |
dcterms:created "2022-03-30T14:26:51.872Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for changes to boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols."; | |
dcterms:modified "2022-04-20T12:51:46.076Z"^^xsd:dateTime . | |
:relationship--78daa7e5-f5e5-452b-a7fd-cece272294fd | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--26c87906-d750-42c5-946c-d4162c73fc7b; | |
stix:target_ref :attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90; | |
dcterms:created "2020-03-19T23:01:00.203Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "SecretsDump and [Mimikatz](https://attack.mitre.org/software/S0002) modules within [Impacket](https://attack.mitre.org/software/S0357) can perform credential dumping to obtain account and password information.(Citation: Impacket Tools)"; | |
dcterms:modified "2022-04-19T21:06:46.662Z"^^xsd:dateTime . | |
:relationship--67f029d5-c44b-446b-9efe-0e0e0d85192a | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--90784c1e-4aba-40eb-9adf-7556235e6384; | |
stix:target_ref :attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0; | |
dcterms:created "2021-02-03T18:34:46.363Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Silent Librarian](https://attack.mitre.org/groups/G0122) has set up auto forwarding rules on compromised e-mail accounts.(Citation: DOJ Iran Indictments March 2018)"; | |
dcterms:modified "2021-02-03T18:34:46.363Z"^^xsd:dateTime . | |
:relationship--bc99bfb1-8529-4116-b702-07c37d333bcf | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--467271fd-47c0-4e90-a3f9-d84f5cf790d0; | |
stix:target_ref :tool--6a5947f3-1a36-4653-8734-526df3e1d28d; | |
dcterms:created "2023-09-20T19:33:24.058Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Proofpoint TA2541 February 2022)(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)"; | |
dcterms:modified "2023-09-20T19:33:24.058Z"^^xsd:dateTime . | |
:relationship--bd29b3ec-5dab-49fe-90ec-37f4c0a3f442 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75; | |
stix:target_ref :attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0; | |
dcterms:created "2020-10-02T16:59:56.765Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--531e2785-0bbd-43f0-8784-ebe6808afa98 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170; | |
stix:target_ref :attack-pattern--90c4a591-d02d-490b-92aa-619d9701ac04; | |
dcterms:created "2023-03-31T17:31:38.458Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for changes to Registry entries for network providers (e.g., `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`) and correlate then investigate the DLL files these values reference."; | |
dcterms:modified "2023-04-11T03:28:04.450Z"^^xsd:dateTime . | |
:relationship--0766fe91-a8d9-42bd-8023-f2134b280211 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--b350b47f-88fe-4921-8538-6d9c59bac84e; | |
stix:target_ref :attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada; | |
dcterms:created "2022-03-07T19:33:27.021Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cyclops Blink](https://attack.mitre.org/software/S0687) can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.(Citation: NCSC Cyclops Blink February 2022)"; | |
dcterms:modified "2022-03-07T19:33:27.021Z"^^xsd:dateTime . | |
:relationship--fa426e9e-7e77-4c1b-b03c-00a4ae45ac6c | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--26d9ebae-de59-427f-ae9a-349456bae4b1; | |
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41; | |
dcterms:created "2022-09-07T14:16:35.346Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors communicated with C2 via an encrypted RC4 byte stream and AES-CBC.(Citation: Talos Frankenstein June 2019)"; | |
dcterms:modified "2022-09-21T14:35:54.675Z"^^xsd:dateTime . | |
:relationship--d0061edc-becf-4ce9-ae91-5e1816d4a894 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c; | |
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT37](https://attack.mitre.org/groups/G0067) delivers malware using spearphishing emails with malicious HWP attachments.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--81c1e9d6-f478-4adb-af70-cc92e8094e8a | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f; | |
stix:target_ref :attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d; | |
dcterms:created "2020-11-06T18:02:10.449Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kimsuky](https://attack.mitre.org/groups/G0094) has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.(Citation: CISA AA20-301A Kimsuky)"; | |
dcterms:modified "2020-11-06T18:02:10.449Z"^^xsd:dateTime . | |
:relationship--388b4637-f634-42ab-a370-981be7da89bd | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5; | |
stix:target_ref :attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RedLeaves](https://attack.mitre.org/software/S0153) uses a specific port of 443 and can also use ports 53 and 80 for C2. One [RedLeaves](https://attack.mitre.org/software/S0153) variant uses HTTP over port 443 to connect to its C2 server.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--58d4910f-9d51-4961-84eb-9ef0ee2e8bc3 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--75d8b521-6b6a-42ff-8af3-d97e20ce12a5; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2023-02-09T20:29:28.146Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Brute Ratel C4](https://attack.mitre.org/software/S1063) has used encrypted payload files and maintains an encrypted configuration structure in memory.(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)"; | |
dcterms:modified "2023-02-17T20:27:17.175Z"^^xsd:dateTime . | |
:relationship--33bba084-3681-4955-861d-2ff6fe02ad9b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Thrip](https://attack.mitre.org/groups/G0076) leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.(Citation: Symantec Thrip June 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--46ace311-9be9-4d4a-8ef0-fc2c0659fba9 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3; | |
stix:target_ref :attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4; | |
dcterms:created "2020-10-20T17:59:21.115Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Follow vendor device hardening best practices to disable unnecessary and unused features and services, avoid using default configurations and passwords, and introduce logging and auditing for detection."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--ac3ee298-bef0-4a52-9050-3dcef1701408 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--cf23bf4a-e003-4116-bbae-1ea6c558d565; | |
stix:target_ref :attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ftp](https://attack.mitre.org/software/S0095) may be used to exfiltrate data separate from the main command and control protocol.(Citation: Microsoft FTP)(Citation: Linux FTP)"; | |
dcterms:modified "2022-02-25T20:50:26.362Z"^^xsd:dateTime . | |
:attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Space after Filename"; | |
dcterms:created "2020-02-10T20:47:10.082Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious."; | |
dcterms:modified "2023-03-30T21:01:52.873Z"^^xsd:dateTime . | |
:relationship--6975d10a-91bf-4a22-8353-745de444c594 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--92ec0cbd-2c30-44a2-b270-73f4ec949841; | |
stix:target_ref :attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d; | |
dcterms:created "2020-06-18T16:12:54.239Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RTM](https://attack.mitre.org/software/S0148) can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.(Citation: ESET RTM Feb 2017)"; | |
dcterms:modified "2020-06-18T16:12:54.239Z"^^xsd:dateTime . | |
:relationship--b46d0c20-61f1-4ab4-be3b-fa7dace805f0 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c9ccc4df-1f56-49e7-ad57-b383e1451688; | |
stix:target_ref :attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b; | |
dcterms:created "2021-03-01T14:07:36.893Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LookBack](https://attack.mitre.org/software/S0582) uses a custom binary protocol over sockets for C2 communications.(Citation: Proofpoint LookBack Malware Aug 2019)"; | |
dcterms:modified "2021-03-02T18:15:56.497Z"^^xsd:dateTime . | |
:relationship--216c15b0-3091-49f2-ba85-356d56265671 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a; | |
stix:target_ref :malware--fece06b7-d4b1-42cf-b81a-5323c917546e; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: US-CERT FALLCHILL Nov 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--a09f7595-1281-4333-ac19-22c41da8c82d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--43155329-3edf-47a6-9a14-7dac899b01e4; | |
stix:target_ref :attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00; | |
dcterms:created "2019-05-29T14:48:20.998Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FlawedGrace](https://attack.mitre.org/software/S0383) uses a custom binary protocol for its C2 communications.(Citation: Proofpoint TA505 Jan 2019)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--30c0f7aa-473d-42c3-81ff-f39c6f21ee52 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--bbcd7a02-ef24-4171-ac94-a93540173b94; | |
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d; | |
dcterms:created "2020-08-03T15:14:17.938Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Carberp](https://attack.mitre.org/software/S0484) has exfiltrated data via HTTP to already established C2 servers.(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)"; | |
dcterms:modified "2020-08-03T15:17:32.038Z"^^xsd:dateTime . | |
:relationship--957ca941-c089-4059-ba09-1c1d4cf62881 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f; | |
stix:target_ref :attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df; | |
dcterms:created "2019-06-21T14:27:36.648Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Audit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--83aedf08-e8eb-4c18-80c1-727ddb0f1d07 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2022-07-18T18:56:23.156Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Earth Lusca](https://attack.mitre.org/groups/G1006) modified the registry using the command <code>reg add “HKEY_CURRENT_USER\\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]”</code> for persistence.(Citation: TrendMicro EarthLusca 2022)"; | |
dcterms:modified "2022-09-09T15:43:56.646Z"^^xsd:dateTime . | |
:relationship--e2b67455-4986-46f4-a4ff-f5ee215ef998 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d18cb958-f4ad-4fb3-bb4f-e8994d206550; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2021-03-15T15:20:25.733Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Penquin](https://attack.mitre.org/software/S0587) can report the file system type and disk space of a compromised host to C2.(Citation: Leonardo Turla Penquin May 2020)"; | |
dcterms:modified "2022-09-28T21:27:07.148Z"^^xsd:dateTime . | |
:relationship--f146a331-3595-46be-abef-518708e34def | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a; | |
stix:target_ref :attack-pattern--3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d; | |
dcterms:created "2017-05-31T21:33:27.067Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample XORs C2 traffic. [Lazarus Group](https://attack.mitre.org/groups/G0032) malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--bc733ee6-f441-42b1-a201-9ff84e0f522c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cad3ba95-8c89-4146-ab10-08daa813f9de; | |
stix:target_ref :attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a; | |
dcterms:created "2021-05-10T23:54:36.037Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Clop](https://attack.mitre.org/software/S0611) can delete the shadow volumes with <code>vssadmin Delete Shadows /all /quiet</code> and can use bcdedit to disable recovery options.(Citation: Mcafee Clop Aug 2019)"; | |
dcterms:modified "2021-05-19T17:11:19.309Z"^^xsd:dateTime . | |
:malware--3d57dcc4-be99-4613-9482-d5218f5ec13e | |
rdf:type stix:Malware; | |
rdfs:label "PolyglotDuke"; | |
dcterms:created "2020-09-23T15:42:59.822Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)"; | |
dcterms:modified "2023-03-26T19:42:34.359Z"^^xsd:dateTime . | |
:malware--e928333f-f3df-4039-9b8b-556c2add0e42 | |
rdf:type stix:Malware; | |
rdfs:label "ECCENTRICBANDWAGON"; | |
dcterms:created "2021-03-18T16:15:53.977Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593) is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.(Citation: CISA EB Aug 2020)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:malware--7bef1b56-4870-4e74-b32a-7dd88c390c44 | |
rdf:type stix:Malware; | |
rdfs:label "Bundlore"; | |
dcterms:created "2020-07-01T19:34:28.366Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bundlore](https://attack.mitre.org/software/S0482) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://attack.mitre.org/software/S0482) has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--283ba7b1-cd3b-44e9-bfae-70023c53d446 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2020-05-20T18:56:59.024Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has lured victims into executing malware via malicious e-mail attachments.(Citation: Anomali Pirate Panda April 2020)"; | |
dcterms:modified "2020-05-20T18:56:59.024Z"^^xsd:dateTime . | |
:relationship--ea187577-25ce-458f-a26b-9ee71d3879fd | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--99fdf3b4-96ef-4ab9-b191-fc683441cad0; | |
stix:target_ref :attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4; | |
dcterms:created "2020-11-18T20:20:31.840Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bazar](https://attack.mitre.org/software/S0534) can inject into a target process including Svchost, Explorer, and cmd using process hollowing.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)"; | |
dcterms:modified "2020-12-01T14:15:37.341Z"^^xsd:dateTime . | |
:relationship--197ade21-6787-4ed3-a3ce-ff4b59b2f15c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c13d9621-aca7-436b-ab3d-3a95badb3d00; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2020-06-24T20:29:46.153Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BackConfig](https://attack.mitre.org/software/S0475) can download and execute additional payloads on a compromised host.(Citation: Unit 42 BackConfig May 2020)"; | |
dcterms:modified "2020-06-24T20:29:46.153Z"^^xsd:dateTime . | |
:relationship--acdc53fa-91d6-4417-bc7b-83c220ec9fae | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--b45747dc-87ca-4597-a245-7e16a61bc491; | |
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c; | |
dcterms:created "2019-01-30T15:27:06.723Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Seasalt](https://attack.mitre.org/software/S0345) has a command to delete a specified file.(Citation: Mandiant APT1 Appendix)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--bb6be5dd-602d-4625-859a-eb6c5bddc29c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5864e59f-eb4c-43ad-83b2-b5e4fae056c9; | |
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c; | |
dcterms:created "2021-09-09T14:15:55.323Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ObliqueRAT](https://attack.mitre.org/software/S0644) can copy specific files, webcam captures, and screenshots to local directories.(Citation: Talos Oblique RAT March 2021)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--2a27a98e-ee19-49f3-96e4-a5c9ee6e65ed | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--e44e0985-bc65-4a8f-b578-211c858128e3; | |
stix:target_ref :attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba; | |
dcterms:created "2021-09-07T13:43:36.245Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Transparent Tribe](https://attack.mitre.org/groups/G0134) has compromised domains for use in targeted malicious campaigns.(Citation: Proofpoint Operation Transparent Tribe March 2016)"; | |
dcterms:modified "2021-10-15T14:37:09.745Z"^^xsd:dateTime . | |
:relationship--42de94e7-86f3-41d9-9e01-45fff8be1451 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407; | |
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d; | |
dcterms:created "2020-03-17T03:07:38.540Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ursnif](https://attack.mitre.org/software/S0386) has used HTTP POSTs to exfil gathered information.(Citation: TrendMicro Ursnif Mar 2015)(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)"; | |
dcterms:modified "2020-03-17T03:07:38.540Z"^^xsd:dateTime . | |
:tool--362dc67f-4e85-4562-9dac-1b6b7f3ec4b5 | |
rdf:type stix:Tool; | |
rdfs:label "ifconfig"; | |
dcterms:created "2017-05-31T21:33:03.377Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--ffffed15-5695-44b9-b85b-89ba8187415d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2019-09-24T14:19:05.322Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ZxShell](https://attack.mitre.org/software/S0412) has a command to transfer files from a remote host.(Citation: Talos ZxShell Oct 2014) "; | |
dcterms:modified "2022-01-05T16:34:01.994Z"^^xsd:dateTime . | |
:relationship--434296ee-6296-4d0a-a72e-bebb914c9700 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e355fc84-6f3c-4888-8e0a-d7fa9c378532; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2022-09-29T20:08:25.503Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[STARWHALE](https://attack.mitre.org/software/S1037) can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookM` registry key.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Mandiant UNC3313 Feb 2022)"; | |
dcterms:modified "2022-10-14T15:23:17.968Z"^^xsd:dateTime . | |
:relationship--ccb912dd-ed1f-4844-9bc0-75a033fa8813 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--73d08401-005f-4e1f-90b9-8f45d120879f; | |
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c; | |
dcterms:created "2022-02-01T21:21:35.872Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ferocious](https://attack.mitre.org/software/S0679) can delete files from a compromised host.(Citation: Kaspersky WIRTE November 2021)"; | |
dcterms:modified "2022-02-01T21:21:35.872Z"^^xsd:dateTime . | |
:relationship--09673a33-d15e-460a-8980-55c67ee2bb19 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c5b81590-6814-4d2a-8baa-15c4b6c7f960; | |
stix:target_ref :attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f; | |
dcterms:created "2021-10-17T15:10:00.720Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Tonto Team](https://attack.mitre.org/groups/G0131) has used tools such as [NBTscan](https://attack.mitre.org/software/S0590) to enumerate network shares.(Citation: TrendMicro Tonto Team October 2020)"; | |
dcterms:modified "2021-10-17T15:10:00.720Z"^^xsd:dateTime . | |
:relationship--6b50cc7f-4284-4b29-bb70-e4184dd52691 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--2cd950a6-16c4-404a-aa01-044322395107; | |
stix:target_ref :attack-pattern--457c7820-d331-465a-915e-42f85500ccc4; | |
dcterms:created "2020-03-27T21:12:27.996Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--dc4bc74b-cd60-4853-a436-8d5e34b01564 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77; | |
stix:target_ref :attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QUADAGENT](https://attack.mitre.org/software/S0269) uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful.(Citation: Unit 42 QUADAGENT July 2018)"; | |
dcterms:modified "2020-03-17T02:18:35.328Z"^^xsd:dateTime . | |
:relationship--7a938acf-f072-42ba-8b5f-16e78ebea7f7 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--1b3b8f96-43b1-4460-8e02-1f53d7802fb9; | |
stix:target_ref :attack-pattern--866d0d6d-02c6-42bd-aa2f-02907fdc0969; | |
dcterms:created "2023-09-28T13:32:25.330Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pacu](https://attack.mitre.org/software/S1091) can collect CloudTrail event histories and CloudWatch logs.(Citation: GitHub Pacu)"; | |
dcterms:modified "2023-10-13T16:33:16.964Z"^^xsd:dateTime . | |
:relationship--1569b958-8b61-42bc-8171-91a068d7fe1a | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc; | |
stix:target_ref :attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337; | |
dcterms:created "2020-10-20T15:42:48.371Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--34c6a059-9496-4f1e-9331-c1986e62b6a1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--6de9cad1-eed2-4e27-b0b5-39fa29349ea0; | |
stix:target_ref :attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0; | |
dcterms:created "2021-06-03T19:52:01.089Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DEATHRANSOM](https://attack.mitre.org/software/S0616) can use public and private key pair encryption to encrypt files for ransom payment.(Citation: FireEye FiveHands April 2021)"; | |
dcterms:modified "2021-06-03T19:52:01.089Z"^^xsd:dateTime . | |
:relationship--2bfc128f-2bc9-436b-abe0-4206b9e35727 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--6c2550d5-a01a-4bbb-a004-6ead348ba623; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2021-09-07T15:24:47.885Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Peppy](https://attack.mitre.org/software/S0643) can download and execute remote files.(Citation: Proofpoint Operation Transparent Tribe March 2016)"; | |
dcterms:modified "2021-10-15T14:37:10.022Z"^^xsd:dateTime . | |
:relationship--911beb36-2a36-4c26-9e0d-bea35f6497b6 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--91c57ed3-7c32-4c68-b388-7db00cb8dac6; | |
stix:target_ref :attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830; | |
dcterms:created "2023-09-27T20:25:38.772Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[NightClub](https://attack.mitre.org/software/S1090) can use `GetForegroundWindow` to enumerate the active window.(Citation: MoustachedBouncer ESET August 2023)"; | |
dcterms:modified "2023-09-27T20:25:38.772Z"^^xsd:dateTime . | |
:relationship--60dd06c7-788f-45e7-8845-3bb1cb4f2c17 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7724581b-06ff-4d2b-b77c-80dc8d53070b; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2022-06-09T19:45:24.757Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Saint Bot](https://attack.mitre.org/software/S1018) has relied upon users to execute a malicious attachment delivered via spearphishing.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )"; | |
dcterms:modified "2022-06-09T19:56:08.618Z"^^xsd:dateTime . | |
:relationship--5d972f64-4c81-43ce-ba08-2c791bd78287 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--54a73038-1937-4d71-a253-316e76d5413c; | |
stix:target_ref :attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9; | |
dcterms:created "2020-11-16T20:48:01.885Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lucifer](https://attack.mitre.org/software/S0532) has established persistence by creating the following scheduled task <code>schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\\%USERPROFILE%\\Downloads\\spread.exe /F</code>.(Citation: Unit 42 Lucifer June 2020)"; | |
dcterms:modified "2020-11-20T18:19:44.010Z"^^xsd:dateTime . | |
:relationship--06219288-2833-4a8e-b8bc-10a834e3af7f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3; | |
stix:target_ref :attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377; | |
dcterms:created "2022-06-14T14:04:15.062Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HEXANE](https://attack.mitre.org/groups/G1001) has used Base64-encoded scripts.(Citation: Kaspersky Lyceum October 2021)"; | |
dcterms:modified "2023-03-22T04:44:21.382Z"^^xsd:dateTime . | |
:relationship--88e52860-d4cc-485a-b23f-ad2cda301727 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3bc7e862-5610-4c02-9c48-15b2e2dc1ddb; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2023-02-14T18:43:07.753Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Woody RAT](https://attack.mitre.org/software/S1065) can download files from its C2 server, including the .NET DLLs, `WoodySharpExecutor` and `WoodyPowerSession`.(Citation: MalwareBytes WoodyRAT Aug 2022) "; | |
dcterms:modified "2023-02-23T21:06:52.989Z"^^xsd:dateTime . | |
:relationship--419392f5-e6a8-4eee-b7c2-f0bac5cce833 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Koadic](https://attack.mitre.org/software/S0250) can download additional files and tools.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)"; | |
dcterms:modified "2022-04-06T19:39:45.963Z"^^xsd:dateTime . | |
:relationship--cd6d8071-bcca-45ee-a477-3547d23d7758 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--fde19a18-e502-467f-be14-58c71b4e7f4b; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2021-12-27T19:19:42.880Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[WarzoneRAT](https://attack.mitre.org/software/S0670) can use `cmd.exe` to execute malicious code.(Citation: Check Point Warzone Feb 2020)"; | |
dcterms:modified "2022-04-07T16:29:12.087Z"^^xsd:dateTime . | |
:relationship--1a5f8d73-a9c4-40db-9cd5-7f8a7aea19d7 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317; | |
stix:target_ref :attack-pattern--8565825b-21c8-4518-b75e-cbc4c717a156; | |
dcterms:created "2021-10-06T20:34:42.509Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Restrict granting of permissions related to listing objects in cloud storage to necessary accounts."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--c75ec383-2acd-479f-b9b7-b2038ec10a7d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--00806466-754d-44ea-ad6f-0caf59cb8556; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2019-01-30T14:11:44.111Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TrickBot](https://attack.mitre.org/software/S0266) can modify registry entries.(Citation: Trend Micro Trickbot Nov 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--c64f3e5f-6be9-45ec-8669-5b79c479030d | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--d5fca4e4-e47a-487b-873f-3d22f8865e96; | |
stix:target_ref :attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945; | |
dcterms:created "2022-03-30T14:26:51.845Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for changes made to processes that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument “INJECTRUNNING” as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.\n\n<h4>Analytic 1 - DLL Injection with Mavinject </h4>\n<code>mavinject_processes = filter processes where (\n exe = \"C:\\\\Windows\\\\SysWOW64\\\\mavinject.exe\" OR Image=\"C:\\\\Windows\\\\System32\\\\mavinject.exe\" OR command_line = \"*/INJECTRUNNING*\"</code>"; | |
dcterms:modified "2023-08-11T21:32:05.140Z"^^xsd:dateTime . | |
:relationship--a6ad0908-e975-47d7-9c82-c4dfa9e16c3b | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8; | |
stix:target_ref :attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5; | |
dcterms:created "2022-03-30T14:26:51.840Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for changes to files associated with system-level processes."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--8d512a95-702d-4670-ab33-069552494102 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--066b057c-944e-4cfc-b654-e3dfba04b926; | |
stix:target_ref :attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670; | |
dcterms:created "2020-11-20T13:41:44.619Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BloodHound](https://attack.mitre.org/software/S0521) can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.(Citation: GitHub Bloodhound)"; | |
dcterms:modified "2020-11-24T20:07:19.348Z"^^xsd:dateTime . | |
:relationship--da2585bf-f31d-42c9-b488-e6cbab7bcd42 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3; | |
stix:target_ref :malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24; | |
dcterms:created "2021-03-05T18:54:56.759Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Malwarebytes Higaisa 2020)"; | |
dcterms:modified "2021-03-05T18:54:56.759Z"^^xsd:dateTime . | |
:relationship--84baf5e0-516f-47c2-a927-47e524959831 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a; | |
stix:target_ref :attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166; | |
dcterms:created "2022-03-30T14:26:51.857Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--e7b10c00-0860-4592-a72c-e14e993e972b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--20945359-3b39-4542-85ef-08ecb4e1c174; | |
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4; | |
dcterms:created "2020-07-27T16:04:39.467Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[StrongPity](https://attack.mitre.org/software/S0491) can install a service to execute itself as a service.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)"; | |
dcterms:modified "2020-07-28T17:25:25.651Z"^^xsd:dateTime . | |
:relationship--d2260326-b220-46e4-ba11-3f14ec89f45f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--63686509-069b-4143-99ea-4e59cad6cb2a; | |
stix:target_ref :attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617; | |
dcterms:created "2022-01-10T19:52:49.150Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DarkWatchman](https://attack.mitre.org/software/S0673) has used the <code>csc.exe</code> tool to compile a C# executable.(Citation: Prevailion DarkWatchman 2021) "; | |
dcterms:modified "2022-01-11T16:03:18.985Z"^^xsd:dateTime . | |
:relationship--768dd2dd-8840-45e3-ad15-c30512a35c05 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--dff90475-9f72-41a6-84ed-1fbefd3874c0; | |
stix:target_ref :attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5; | |
dcterms:created "2022-07-25T18:32:06.486Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Heyoka Backdoor](https://attack.mitre.org/software/S1027) can use rundll32.exe to gain execution.(Citation: SentinelOne Aoqin Dragon June 2022)"; | |
dcterms:modified "2022-07-25T18:32:06.486Z"^^xsd:dateTime . | |
:relationship--759ce6e8-da01-4cd6-9d03-9b0a1edde9be | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c009560a-f097-45a3-8f9f-78ec1440a783; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2021-11-29T19:16:55.904Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SysUpdate](https://attack.mitre.org/software/S0663) has the ability to download files to a compromised host.(Citation: Trend Micro Iron Tiger April 2021)(Citation: Lunghi Iron Tiger Linux)"; | |
dcterms:modified "2023-03-29T15:40:55.939Z"^^xsd:dateTime . | |
:relationship--394d53b3-da1c-44b4-8abf-e1092f34c8be | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--1d1fce2f-0db5-402b-9843-4278a0694637; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GravityRAT](https://attack.mitre.org/software/S0237) supports file encryption (AES with the key \"lolomycin2017\").(Citation: Talos GravityRAT)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--0ecbbfa3-6b81-4cf7-9033-373ebbc2832f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--3fc023b2-c5cc-481d-9c3e-70141ae1a87e; | |
stix:target_ref :attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade; | |
dcterms:created "2021-01-29T19:16:42.231Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sidewinder](https://attack.mitre.org/groups/G0121) has used <code>mshta.exe</code> to execute malicious payloads.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)"; | |
dcterms:modified "2021-07-21T12:24:09.229Z"^^xsd:dateTime . | |
:relationship--2fa20fad-4ede-42f4-8ce5-7f5a6ce83ed8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ccd61dfc-b03f-4689-8c18-7c97eab08472; | |
stix:target_ref :attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[CHOPSTICK](https://attack.mitre.org/software/S0023) is capable of performing remote command execution.(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 2)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--6592447f-31c8-46d0-8e88-47584fa301f0 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--9ca488bd-9587-48ef-b923-1743523e63b2; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SOUNDBITE](https://attack.mitre.org/software/S0157) is capable of modifying the Registry.(Citation: FireEye APT32 May 2017)"; | |
dcterms:modified "2020-03-17T02:38:07.464Z"^^xsd:dateTime . | |
:relationship--eacb7614-6cc9-4eb9-92fc-bba53ac4f59a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--54a73038-1937-4d71-a253-316e76d5413c; | |
stix:target_ref :attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88; | |
dcterms:created "2020-11-16T20:20:30.532Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lucifer](https://attack.mitre.org/software/S0532) can scan for open ports including TCP ports 135 and 1433.(Citation: Unit 42 Lucifer June 2020)"; | |
dcterms:modified "2020-11-16T20:20:30.532Z"^^xsd:dateTime . | |
:relationship--1567eaca-2b2e-44df-b447-87769738e00a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e8545794-b98c-492b-a5b3-4b5a02682e37; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2020-05-18T19:37:52.331Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[POWERSTATS](https://attack.mitre.org/software/S0223) has the ability to identify the username on the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)"; | |
dcterms:modified "2020-05-18T19:37:52.331Z"^^xsd:dateTime . | |
:relationship--a18968c2-e639-40fa-9751-1a5ab666bfde | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--a5ae90ca-0c4b-481c-959f-0eb18a7ff953; | |
stix:target_ref :attack-pattern--b0c74ef9-c61e-4986-88cb-78da98a355ec; | |
dcterms:created "2022-03-30T14:26:51.855Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Track the deployment of new containers, especially from newly built images."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--ba8e391f-14b5-496f-81f2-2d5ecd646c1c | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Credentials in Files"; | |
dcterms:created "2017-05-31T21:31:02.188Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage)\n\n"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--f98a3b2b-d1ea-4207-8352-6470b36740ff | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b; | |
stix:target_ref :attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755; | |
dcterms:created "2021-01-22T18:24:05.171Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[UNC2452](https://attack.mitre.org/groups/G0118) configured at least one instance of [Cobalt Strike](https://attack.mitre.org/software/S0154) to use a network pipe over SMB during the 2020 SolarWinds intrusion.(Citation: Symantec RAINDROP January 2021)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--74480cd6-1f2e-4c2d-a1ad-82cc50d63d14 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--b7f627e2-0817-4cd5-8d50-e75f8aa85cc6; | |
stix:target_ref :attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9; | |
dcterms:created "2023-02-23T18:08:10.953Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[LuminousMoth](https://attack.mitre.org/groups/G1014) has lured victims into clicking malicious Dropbox download links delivered through spearphishing.(Citation: Kaspersky LuminousMoth July 2021)"; | |
dcterms:modified "2023-02-23T18:08:10.953Z"^^xsd:dateTime . | |
:relationship--863c1d57-db93-49a9-a953-eb7c2d6b2e5b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1; | |
stix:target_ref :attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Felismus](https://attack.mitre.org/software/S0171) checks for processes associated with anti-virus vendors.(Citation: Forcepoint Felismus Mar 2017)"; | |
dcterms:modified "2020-03-17T01:16:15.825Z"^^xsd:dateTime . | |
:relationship--80e484a4-e5b5-4de1-81c7-2bd1a927d156 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--eac3d77f-2b7b-4599-ba74-948dc16633ad; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2020-06-26T16:17:18.161Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Goopy](https://attack.mitre.org/software/S0477) has the ability to enumerate the infected system's user name.(Citation: Cybereason Cobalt Kitty 2017)"; | |
dcterms:modified "2020-06-29T21:37:56.012Z"^^xsd:dateTime . | |
:relationship--9b56f86f-656f-4e18-9557-84638de34f10 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--c89fa3ff-4773-4daf-8aec-d8f43f10116e; | |
stix:target_ref :malware--93289ecf-4d15-4d6b-a9c3-4ab27e145ef4; | |
dcterms:created "2023-05-19T20:37:04.605Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [C0026](https://attack.mitre.org/campaigns/C0026), the threat actors used [QUIETCANARY](https://attack.mitre.org/software/S1076) to gather and exfiltrate data. (Citation: Mandiant Suspected Turla Campaign February 2023)"; | |
dcterms:modified "2023-05-19T20:37:04.605Z"^^xsd:dateTime . | |
:relationship--5206976b-ac4d-4286-a954-4b1ef5c20adc | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Shamoon](https://attack.mitre.org/software/S0140) obtains the target's IP address and local network segment.(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018)"; | |
dcterms:modified "2020-05-29T18:11:23.866Z"^^xsd:dateTime . | |
:relationship--e20b57e5-c010-4b9e-a04e-660daa8b5c87 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sowbug](https://attack.mitre.org/groups/G0054) obtained OS version and hardware configuration from a victim.(Citation: Symantec Sowbug Nov 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--ce8eb6bf-11cc-4d9f-a81a-57bd1422efb1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8bdfe255-e658-4ddd-a11c-b854762e451d; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2020-11-08T23:26:13.891Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[KGH_SPY](https://attack.mitre.org/software/S0526) can execute PowerShell commands on the victim's machine.(Citation: Cybereason Kimsuky November 2020)"; | |
dcterms:modified "2020-11-08T23:26:13.891Z"^^xsd:dateTime . | |
:relationship--9494b0d8-26d9-48ae-8dd1-c9d8966b23a0 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--198db886-47af-4f4c-bff5-11b891f85946; | |
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077; | |
dcterms:created "2019-01-29T17:59:44.401Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Zeus Panda](https://attack.mitre.org/software/S0330) collects the current system time (UTC) and sends it back to the C2 server.(Citation: GDATA Zeus Panda June 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--67e631d1-439f-4630-9662-8ea74ab10234 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--75d8b521-6b6a-42ff-8af3-d97e20ce12a5; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2023-02-09T19:00:00.555Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Brute Ratel C4](https://attack.mitre.org/software/S1063) has used a payload file named OneDrive.update to appear benign.(Citation: Palo Alto Brute Ratel July 2022)"; | |
dcterms:modified "2023-02-09T19:00:00.555Z"^^xsd:dateTime . | |
:relationship--85be49ac-785e-48af-8d0e-4b74818428fc | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321; | |
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4; | |
dcterms:created "2019-05-24T17:57:36.723Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Silence](https://attack.mitre.org/groups/G0091) has used [Winexe](https://attack.mitre.org/software/S0191) to install a service on the remote system.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)"; | |
dcterms:modified "2020-05-06T03:12:02.433Z"^^xsd:dateTime . | |
:relationship--34a45578-1deb-4c58-8719-9c04f4fa7dfc | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--58c5a3a1-928f-4094-9e98-a5a4e56dd5f3; | |
stix:target_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579; | |
dcterms:created "2021-08-23T19:38:33.322Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Avaddon](https://attack.mitre.org/software/S0640) looks for and attempts to stop anti-malware solutions.(Citation: Arxiv Avaddon Feb 2021)"; | |
dcterms:modified "2021-08-23T19:38:33.323Z"^^xsd:dateTime . | |
:relationship--a9a0ecce-239c-4666-94e9-ef1fb64cf796 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--198db886-47af-4f4c-bff5-11b891f85946; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2019-01-29T17:59:44.529Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Zeus Panda](https://attack.mitre.org/software/S0330) modifies several Registry keys under <code>HKCU\\Software\\Microsoft\\Internet Explorer\\ PhishingFilter\\</code> to disable phishing filters.(Citation: GDATA Zeus Panda June 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--6a779cbf-ef5c-4018-a91f-10889b2068b0 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034; | |
stix:target_ref :attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad; | |
dcterms:created "2022-09-09T15:57:19.550Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Earth Lusca](https://attack.mitre.org/groups/G1006) has added the Registry key `HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Print Processors\\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor.(Citation: TrendMicro EarthLusca 2022)"; | |
dcterms:modified "2022-09-09T15:57:19.550Z"^^xsd:dateTime . | |
:relationship--0dfdfffc-2d1b-487f-91e0-66d81b185367 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8f423bd7-6ca7-4303-9e85-008c7ad5fdaa; | |
stix:target_ref :attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830; | |
dcterms:created "2020-05-06T21:01:23.245Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Attor](https://attack.mitre.org/software/S0438) can obtain application window titles and then determines which windows to perform Screen Capture on.(Citation: ESET Attor Oct 2019)"; | |
dcterms:modified "2020-05-06T21:01:23.245Z"^^xsd:dateTime . | |
:attack-pattern--52f3d5a6-8a0f-4f82-977e-750abf90d0b0 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Extra Window Memory Injection"; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). (Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\n\nExecution granted through EWM injection may take place in the address space of a separate live process. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread. (Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--23b5fd51-bb47-4811-8a38-c768c8fa6b0e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--44c75271-0e4d-496f-ae0a-a6d883a42a65; | |
stix:target_ref :attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5; | |
dcterms:created "2020-05-05T15:26:30.438Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Rifdoor](https://attack.mitre.org/software/S0433) has added four additional bytes of data upon launching, then saved the changed version as <code>C:\\ProgramData\\Initech\\Initech.exe</code>.(Citation: Carbon Black HotCroissant April 2020)"; | |
dcterms:modified "2020-05-05T21:17:34.608Z"^^xsd:dateTime . | |
:relationship--c85af3d4-ab10-4c49-91c4-bff9054096b8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--727afb95-3d0f-4451-b297-362a43909923; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2021-03-19T16:26:04.440Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ThiefQuest](https://attack.mitre.org/software/S0595) obtains a list of running processes using the function <code>kill_unwanted</code>.(Citation: wardle evilquest parti)"; | |
dcterms:modified "2021-04-26T20:02:14.282Z"^^xsd:dateTime . | |
:relationship--fc6b1d58-05bf-41a0-a7fd-fcbbae894430 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1; | |
stix:target_ref :tool--5a63f900-5e7e-4928-a746-dd4558e1df71; | |
dcterms:created "2021-12-07T15:14:11.866Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: US-CERT TA18-074A)"; | |
dcterms:modified "2021-12-07T15:14:11.866Z"^^xsd:dateTime . | |
:relationship--287c3024-f58d-4fab-87a7-54d4b52f5a5c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa; | |
stix:target_ref :attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5; | |
dcterms:created "2022-07-14T20:13:55.682Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Aoqin Dragon](https://attack.mitre.org/groups/G1007) has spread malware in target networks by copying modules to folders masquerading as removable devices.(Citation: SentinelOne Aoqin Dragon June 2022)"; | |
dcterms:modified "2022-07-14T20:16:24.548Z"^^xsd:dateTime . | |
:attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Screensaver"; | |
dcterms:created "2020-01-24T13:51:01.210Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\\Windows\\System32\\</code>, and <code>C:\\Windows\\sysWOW64\\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.\n\nThe following screensaver settings are stored in the Registry (<code>HKCU\\Control Panel\\Desktop\\</code>) and could be manipulated to achieve persistence:\n\n* <code>SCRNSAVE.exe</code> - set to malicious PE path\n* <code>ScreenSaveActive</code> - set to '1' to enable the screensaver\n* <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock\n* <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)"; | |
dcterms:modified "2023-07-28T18:17:34.185Z"^^xsd:dateTime . | |
:relationship--bab689ff-c89e-452f-bca6-a01078ae406e | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--514ede4c-78b3-4d78-a38b-daddf6217a79; | |
stix:target_ref :attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35; | |
dcterms:created "2020-01-24T17:07:20.018Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--0ac55ad4-0f16-416e-bf88-67ee1aad85ab | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--ec418d1b-4963-439f-b055-f914737ef362; | |
stix:target_ref :attack-pattern--f792d02f-813d-402b-86a5-ab98cb391d3b; | |
dcterms:created "2017-05-31T21:33:27.030Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--68d151ea-6dd8-4e6b-acd5-c998ebffc357 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2019-09-24T14:19:05.143Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ZxShell](https://attack.mitre.org/software/S0412) has a command, ps, to obtain a listing of processes on the system.(Citation: Talos ZxShell Oct 2014) "; | |
dcterms:modified "2022-01-05T16:34:01.884Z"^^xsd:dateTime . | |
:relationship--801f139f-1361-4d79-965e-078787f8ec36 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f5352566-1a64-49ac-8f7f-97e1d1a03300; | |
stix:target_ref :attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AutoIt backdoor](https://attack.mitre.org/software/S0129) has sent a C2 response that was base64-encoded.(Citation: Forcepoint Monsoon)"; | |
dcterms:modified "2020-03-20T18:03:40.138Z"^^xsd:dateTime . | |
:relationship--c0b07b4a-d421-4faa-8564-4cc89668afac | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--bd2554b8-634f-4434-a986-9b49c29da2ae; | |
stix:target_ref :attack-pattern--241814ae-de3f-4656-b49e-f9a80764d4b7; | |
dcterms:created "2017-05-31T21:33:27.023Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--191aac5f-38bc-429b-8343-32eb17fa4919 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--26d9ebae-de59-427f-ae9a-349456bae4b1; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2022-09-07T19:17:14.632Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used [Empire](https://attack.mitre.org/software/S0363) to obtain the compromised machine's name.(Citation: Talos Frankenstein June 2019)"; | |
dcterms:modified "2022-09-21T14:38:13.835Z"^^xsd:dateTime . | |
:relationship--dda9f6bb-eb66-422b-aa58-fede809b6a6a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--754effde-613c-4244-a83e-fb659b2a4d06; | |
stix:target_ref :attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4; | |
dcterms:created "2020-05-27T22:05:32.062Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Operators deploying [Netwalker](https://attack.mitre.org/software/S0457) have used psexec and certutil to retrieve the [Netwalker](https://attack.mitre.org/software/S0457) payload.(Citation: Sophos Netwalker May 2020)"; | |
dcterms:modified "2020-05-27T22:05:32.062Z"^^xsd:dateTime . | |
:tool--842976c7-f9c8-41b2-8371-41dc64fbe261 | |
rdf:type stix:Tool; | |
rdfs:label "ConnectWise"; | |
dcterms:created "2021-03-18T13:39:27.676Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"; | |
dcterms:modified "2023-04-13T13:09:38.786Z"^^xsd:dateTime . | |
:relationship--012617bd-bdb5-434f-996c-bea7afe1b8a5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--579607c2-d046-40df-99ab-beb479c37a2a; | |
stix:target_ref :attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0; | |
dcterms:created "2021-12-01T18:49:06.980Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chrommme](https://attack.mitre.org/software/S0667) can enumerate the IP address of a compromised host.(Citation: ESET Gelsemium June 2021)"; | |
dcterms:modified "2021-12-01T18:49:06.980Z"^^xsd:dateTime . | |
:relationship--082b64f6-cc70-4bc8-a49f-bf0f125883f7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2; | |
stix:target_ref :attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58; | |
dcterms:created "2020-10-21T17:01:35.599Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Metamorfo](https://attack.mitre.org/software/S0455) has searched the compromised system for banking applications.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)"; | |
dcterms:modified "2021-09-27T19:32:34.723Z"^^xsd:dateTime . | |
:relationship--ae1592ae-15a3-45e3-a509-4fe9be3f9ed9 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b; | |
stix:target_ref :attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab; | |
dcterms:created "2023-03-17T15:01:40.524Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used `regsvr32` to execute malware.(Citation: ESET Lazarus Jun 2020)"; | |
dcterms:modified "2023-04-13T21:26:07.943Z"^^xsd:dateTime . | |
:relationship--da759124-8047-4b58-b7d4-fa9300cb4ce1 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c; | |
stix:target_ref :attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4; | |
dcterms:created "2021-01-13T21:54:29.651Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT28](https://attack.mitre.org/groups/G0007) has used Google Drive for C2.(Citation: TrendMicro Pawn Storm Dec 2020)"; | |
dcterms:modified "2021-04-19T21:12:35.769Z"^^xsd:dateTime . | |
:relationship--70dc4dfe-c859-4665-88d7-ff724d88380b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--92b03a94-7147-4952-9d5a-b4d24da7487c; | |
stix:target_ref :attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979; | |
dcterms:created "2022-10-13T17:19:04.454Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SDBbot](https://attack.mitre.org/software/S0461) can collected the country code of a compromised machine.(Citation: Korean FSI TA505 2020)"; | |
dcterms:modified "2022-10-13T17:19:04.454Z"^^xsd:dateTime . | |
:relationship--907df22e-fdfe-4b93-8b18-ebf66f83868c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131; | |
stix:target_ref :attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[S-Type](https://attack.mitre.org/software/S0085) may create the file <code>%HOMEPATH%\\Start Menu\\Programs\\Startup\\Realtek {Unique Identifier}.lnk</code>, which points to the malicious `msdtc.exe` file already created in the `%CommonFiles%` directory.(Citation: Cylance Dust Storm)"; | |
dcterms:modified "2022-09-30T20:36:11.388Z"^^xsd:dateTime . | |
:relationship--32bebd4b-6bbe-4a4e-86a1-0c49fda51259 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2020-05-20T19:05:37.549Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has used HTTP in communication with the C2.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)"; | |
dcterms:modified "2020-05-21T16:39:27.634Z"^^xsd:dateTime . | |
:relationship--39670e5f-214a-48b0-81df-01c1f5030cd7 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b; | |
stix:target_ref :attack-pattern--bf147104-abf9-4221-95d1-e81585859441; | |
dcterms:created "2019-11-07T20:09:56.969Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)"; | |
dcterms:modified "2021-08-16T21:30:02.054Z"^^xsd:dateTime . | |
:relationship--a49fc7fd-5af0-4a2f-a2bb-f1d153e6b66d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7724581b-06ff-4d2b-b77c-80dc8d53070b; | |
stix:target_ref :attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979; | |
dcterms:created "2022-06-09T19:12:36.907Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Saint Bot](https://attack.mitre.org/software/S1018) has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )"; | |
dcterms:modified "2022-06-09T20:48:17.510Z"^^xsd:dateTime . | |
:relationship--beeaf89d-cbd4-49fd-a18a-a430e3ad8c36 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--a5ae90ca-0c4b-481c-959f-0eb18a7ff953; | |
stix:target_ref :attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9; | |
dcterms:created "2022-03-30T14:26:51.868Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--69513daf-2acd-4b04-a7be-9f31174a2ae9 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf; | |
stix:target_ref :attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64; | |
dcterms:created "2020-06-16T17:53:18.768Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware can insert malicious macros into documents using a <code>Microsoft.Office.Interop</code> object.(Citation: ESET Gamaredon June 2020)\t"; | |
dcterms:modified "2020-06-22T18:27:32.047Z"^^xsd:dateTime . | |
:relationship--0c2ba74b-a5b0-493c-84f3-41b6131070a0 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--95c29444-49f9-49f7-8b20-bcd68d8fcaa6; | |
stix:target_ref :attack-pattern--4bf5845d-a814-4490-bc5c-ccdee6043025; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Stored Data Manipulation"; | |
dcterms:created "2020-03-02T14:22:24.410Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact."; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--1cf57140-fe45-4c26-8946-071252ae8276 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0efefea5-78da-4022-92bc-d726139e8883; | |
stix:target_ref :attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c; | |
dcterms:created "2019-03-04T17:12:37.776Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Linux Rabbit](https://attack.mitre.org/software/S0362) brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. (Citation: Anomali Linux Rabbit 2018)"; | |
dcterms:modified "2020-03-11T18:48:12.899Z"^^xsd:dateTime . | |
:attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Server"; | |
dcterms:created "2020-10-01T00:56:25.135Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations."; | |
dcterms:modified "2023-04-13T00:00:25.676Z"^^xsd:dateTime . | |
:relationship--1c677f35-b73b-47bc-b162-1fd036a38def | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PowerDuke](https://attack.mitre.org/software/S0139) uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA)."; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--a80b33dc-0fe2-4b0d-a815-51a036fa410f | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db; | |
stix:target_ref :attack-pattern--04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf; | |
dcterms:created "2019-10-07T17:47:39.651Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Limit or restrict program execution using anti-virus software. On MacOS, whitelist programs that are allowed to have the plist tag. All other programs should be considered suspicious."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--13ac3b6b-d008-44fa-88c3-53d0927961d2 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6; | |
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67; | |
dcterms:created "2019-07-08T15:24:24.654Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Turla](https://attack.mitre.org/groups/G0010) has used VBS scripts throughout its operations.(Citation: Symantec Waterbug Jun 2019)\t"; | |
dcterms:modified "2020-03-19T17:37:34.240Z"^^xsd:dateTime . | |
:relationship--4ebeacbf-4f30-4f32-86dc-54d932ea7c46 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72; | |
stix:target_ref :attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6; | |
dcterms:created "2020-03-15T16:27:38.223Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--4372bc1b-e764-4208-a250-bd7d1669f0c5 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a; | |
stix:target_ref :attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b; | |
dcterms:created "2022-03-30T14:26:51.861Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--62359eba-e21f-46f1-9fb2-a3ec9d52acb3 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6; | |
stix:target_ref :attack-pattern--74d2a63f-3c7b-4852-92da-02d8fbab16da; | |
dcterms:created "2022-03-30T14:26:51.851Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data. Depending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. (Citation: Medium Event Tracing Tampering 2018)"; | |
dcterms:modified "2022-03-30T14:26:51.851Z"^^xsd:dateTime . | |
:relationship--e342f3ae-10f0-4740-937b-5cead8204d78 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a; | |
dcterms:created "2022-03-30T14:26:51.834Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. "; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--35a9c64c-c305-46bf-a216-c8bb1b051614 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6; | |
stix:target_ref :malware--da5880b4-f7da-4869-85f2-e0aba84b8565; | |
dcterms:created "2017-05-31T21:33:27.046Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Symantec Waterbug)(Citation: Unit 42 IronNetInjector February 2021 )(Citation: Secureworks IRON HUNTER Profile)"; | |
dcterms:modified "2022-05-20T17:02:59.591Z"^^xsd:dateTime . | |
:relationship--08692b08-78e8-4f04-82a0-e4efe009dba4 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--99910207-1741-4da1-9b5d-537410186b51; | |
stix:target_ref :attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00; | |
dcterms:created "2021-12-02T14:15:49.946Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gelsemium](https://attack.mitre.org/groups/G0141) has compromised software supply chains to gain access to victims.(Citation: ESET Gelsemium June 2021)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--f56f129e-0a30-4be0-bc4b-5942a479e0f9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--dff90475-9f72-41a6-84ed-1fbefd3874c0; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2022-07-25T18:20:36.684Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Heyoka Backdoor](https://attack.mitre.org/software/S1027) has been spread through malicious document lures.(Citation: SentinelOne Aoqin Dragon June 2022)"; | |
dcterms:modified "2022-07-25T18:20:36.684Z"^^xsd:dateTime . | |
:relationship--2f337593-16b2-40a2-928c-c7659d0326ea | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa; | |
stix:target_ref :attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4; | |
dcterms:created "2022-10-11T16:03:53.721Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Aoqin Dragon](https://attack.mitre.org/groups/G1007) has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.(Citation: SentinelOne Aoqin Dragon June 2022)"; | |
dcterms:modified "2022-10-11T16:03:53.721Z"^^xsd:dateTime . | |
:relationship--70b27780-b19a-4313-88ea-1038ce0fc386 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2021-02-09T14:35:39.641Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Bad Rabbit](https://attack.mitre.org/software/S0606) can enumerate all running processes to compare hashes.(Citation: Secure List Bad Rabbit)"; | |
dcterms:modified "2021-05-04T19:28:12.850Z"^^xsd:dateTime . | |
:relationship--438f9fb0-bf82-4c72-8fdf-0dbc39bcf4fc | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--727afb95-3d0f-4451-b297-362a43909923; | |
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4; | |
dcterms:created "2021-03-19T16:26:04.418Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ThiefQuest](https://attack.mitre.org/software/S0595) uses the <code>CGEventTap</code> functions to perform keylogging.(Citation: Trendmicro Evolving ThiefQuest 2020)"; | |
dcterms:modified "2021-04-26T20:02:14.275Z"^^xsd:dateTime . | |
:relationship--f3bbff8f-5f4b-40aa-a55f-e3880a582868 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7dbb67c7-270a-40ad-836e-c45f8948aa5a; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[KOMPROGO](https://attack.mitre.org/software/S0156) is capable of creating a reverse shell.(Citation: FireEye APT32 May 2017)"; | |
dcterms:modified "2020-03-20T02:12:29.707Z"^^xsd:dateTime . | |
:relationship--a6a4bbf3-7a2e-46ae-877a-614bf9f81644 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5c747acd-47f0-4c5a-b9e5-213541fc01e0; | |
stix:target_ref :attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade; | |
dcterms:created "2021-03-12T16:55:09.334Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[GoldMax](https://attack.mitre.org/software/S0588) has used decoy traffic to surround its malicious network traffic to avoid detection.(Citation: MSTIC NOBELIUM Mar 2021)"; | |
dcterms:modified "2021-04-25T21:45:21.223Z"^^xsd:dateTime . | |
:attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Virtual Private Server"; | |
dcterms:created "2020-10-01T00:55:17.771Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--11178fb7-27d1-4ad2-b912-113741647377 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba; | |
stix:target_ref :attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49; | |
dcterms:created "2022-03-30T14:26:51.837Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly constructed network connections that are sent or received by untrusted hosts, such as Sysmon Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--9d62760d-5678-4ebf-9a19-aa9de5d9728c | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f; | |
stix:target_ref :attack-pattern--f8ef3a62-3f44-40a4-abca-761ab235c436; | |
dcterms:created "2021-03-31T14:01:52.505Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.(Citation: Docker Daemon Socket Protect)(Citation: Kubernetes API Control Access) In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.(Citation: Kubernetes Cloud Native Security) Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.(Citation: Microsoft AKS Azure AD 2023)"; | |
dcterms:modified "2023-04-15T16:13:07.227Z"^^xsd:dateTime . | |
:relationship--ac603ee0-cb62-4ad5-852a-29b70b225c5f | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--d505fc8b-2e64-46eb-96d6-9ef7ffca5b66; | |
stix:target_ref :attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd; | |
dcterms:created "2022-03-26T03:47:59.075Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mythic](https://attack.mitre.org/software/S0699) supports custom chunk sizes used to upload/download files.(Citation: Mythc Documentation)\t"; | |
dcterms:modified "2022-03-26T03:47:59.075Z"^^xsd:dateTime . | |
:marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 | |
rdf:type stix:MarkingDefinition; | |
dcterms:created "2017-06-01T00:00:00.000Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 . | |
:relationship--0f43dcda-56ff-4ac2-b79a-82b09a90944f | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--1244e058-fa10-48cb-b484-0bcf671107ae; | |
stix:target_ref :attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e; | |
dcterms:created "2022-03-24T19:39:24.717Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SILENTTRINITY](https://attack.mitre.org/software/S0692) has a module that can extract cached GPP passwords.(Citation: GitHub SILENTTRINITY Modules July 2019) "; | |
dcterms:modified "2022-03-24T19:39:24.717Z"^^xsd:dateTime . | |
:relationship--4612c0bd-f6f7-4c71-92dd-9f26ff1c3eef | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172; | |
stix:target_ref :attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Thrip](https://attack.mitre.org/groups/G0076) has used WinSCP to exfiltrate data from a targeted organization over FTP.(Citation: Symantec Thrip June 2018)"; | |
dcterms:modified "2020-03-16T18:05:41.507Z"^^xsd:dateTime . | |
:relationship--f2ac3f65-68d3-45d2-8aab-b2bd57036fa8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8; | |
stix:target_ref :attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580; | |
dcterms:created "2020-12-14T21:59:38.674Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to extract credentials from the Registry.(Citation: SentinelLabs Agent Tesla Aug 2020) "; | |
dcterms:modified "2020-12-14T21:59:38.674Z"^^xsd:dateTime . | |
:relationship--1c25229d-c0f5-4ad6-a403-874d59df73fe | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1; | |
stix:target_ref :attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5; | |
dcterms:created "2022-03-30T14:26:51.875Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor library load events, especially unusual creation of these binary files followed by loading into processes. Look for libraries that are not recognized or not normally loaded into a process."; | |
dcterms:modified "2022-07-07T17:08:56.737Z"^^xsd:dateTime . | |
:relationship--79412658-c213-4746-b03d-c828957d6ddb | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--987988f0-cf86-4680-a875-2f6456ab2448; | |
stix:target_ref :attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196; | |
dcterms:created "2020-02-04T19:13:24.913Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Applying more restrictive permissions to files and directories could prevent adversaries from modifying their access control lists. Additionally, ensure that user settings regarding local and remote symbolic links are properly set or disabled where unneeded.(Citation: create_sym_links)"; | |
dcterms:modified "2022-10-19T17:48:05.763Z"^^xsd:dateTime . | |
:relationship--9d42a47f-ccdc-42f0-9551-11bf5e2a9616 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4; | |
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c; | |
dcterms:created "2019-05-02T00:08:18.466Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[The White Company](https://attack.mitre.org/groups/G0089) has the ability to delete its malware entirely from the target system.(Citation: Cylance Shaheen Nov 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--767ce5fe-06f5-4efc-aa41-129fad867c65 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2022-07-14T19:35:43.771Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Aoqin Dragon](https://attack.mitre.org/groups/G1007) has run scripts to identify file formats including Microsoft Word.(Citation: SentinelOne Aoqin Dragon June 2022)"; | |
dcterms:modified "2022-07-14T19:35:43.771Z"^^xsd:dateTime . | |
:relationship--aac15fc0-a17b-4295-bf46-b18569bc2c4f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--2a70812b-f1ef-44db-8578-a496a227aef2; | |
stix:target_ref :attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d; | |
dcterms:created "2021-01-08T21:16:36.990Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[NETWIRE](https://attack.mitre.org/software/S0198) can copy itself to and launch itself from hidden folders.(Citation: Red Canary NETWIRE January 2020)"; | |
dcterms:modified "2021-01-08T21:16:36.990Z"^^xsd:dateTime . | |
:relationship--91ec91fa-f468-47fa-a931-aeb9b4f74ba3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5; | |
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6; | |
dcterms:created "2020-08-06T13:39:24.240Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[REvil](https://attack.mitre.org/software/S0496) has infected victim machines through compromised websites and exploit kits.(Citation: Secureworks REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks GandCrab and REvil September 2019)"; | |
dcterms:modified "2020-08-06T13:39:24.240Z"^^xsd:dateTime . | |
:relationship--d1f44e84-61cb-4a96-add8-d37a38369e43 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--00806466-754d-44ea-ad6f-0caf59cb8556; | |
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TrickBot](https://attack.mitre.org/software/S0266) collects a list of install programs and services on the system’s machine.(Citation: S2 Grupo TrickBot June 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--53f5aaf3-b4de-4e31-bf50-a297bb8b61ca | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--326af1cd-78e7-45b7-a326-125d2f7ef8f2; | |
stix:target_ref :attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0; | |
dcterms:created "2021-09-07T14:30:30.832Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Crimson](https://attack.mitre.org/software/S0115) can determine when it has been installed on a host for at least 15 days before downloading the final payload.(Citation: Proofpoint Operation Transparent Tribe March 2016)"; | |
dcterms:modified "2021-10-15T14:37:09.933Z"^^xsd:dateTime . | |
:relationship--a6bb9c7f-3e1c-429a-a81d-0d446f4abe9a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--63686509-069b-4143-99ea-4e59cad6cb2a; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2022-01-11T14:58:01.963Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DarkWatchman](https://attack.mitre.org/software/S0673) has the ability to self-extract as a RAR archive.(Citation: Prevailion DarkWatchman 2021)"; | |
dcterms:modified "2022-04-17T19:32:44.438Z"^^xsd:dateTime . | |
:relationship--d07f2da6-6497-414f-96c1-9dd60155b169 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f6d1d2cb-12f5-4221-9636-44606ea1f3f8; | |
stix:target_ref :attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OSInfo](https://attack.mitre.org/software/S0165) discovers shares on the network(Citation: Symantec Buckeye)"; | |
dcterms:modified "2020-03-18T20:19:35.787Z"^^xsd:dateTime . | |
:relationship--406afc1a-4ea7-45c5-b137-7784f9ed53f3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2; | |
stix:target_ref :attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b; | |
dcterms:created "2020-03-17T01:57:57.302Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[NETEAGLE](https://attack.mitre.org/software/S0034) can use HTTP to download resources that contain an IP address and port number pair to connect to for C2.(Citation: FireEye APT30)"; | |
dcterms:modified "2020-03-27T22:10:19.833Z"^^xsd:dateTime . | |
:relationship--552215a4-9761-4dce-8a59-83cd81ca43a8 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2020-05-27T15:31:09.471Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used batch script files to automate execution and deployment of payloads.(Citation: RedCanary Mockingbird May 2020)"; | |
dcterms:modified "2020-06-25T13:59:09.803Z"^^xsd:dateTime . | |
:relationship--9d7577f9-2003-4cbc-b7cb-58f2dc20714c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--72911fe3-f085-40f7-b4f2-f25a4221fe44; | |
stix:target_ref :attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34; | |
dcterms:created "2021-11-16T15:32:34.259Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FoggyWeb](https://attack.mitre.org/software/S0661)'s loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process.(Citation: MSTIC FoggyWeb September 2021)"; | |
dcterms:modified "2022-04-16T01:37:21.677Z"^^xsd:dateTime . | |
:relationship--f1df1a1e-2b64-4308-8f0c-f22221946677 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db; | |
stix:target_ref :attack-pattern--f792d02f-813d-402b-86a5-ab98cb391d3b; | |
dcterms:created "2019-06-25T13:59:33.502Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--05c94aaf-1db8-40ce-9ec2-8628f8e17e20 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3; | |
stix:target_ref :attack-pattern--1f9c2bae-b441-4f66-a8af-b65946ee72f2; | |
dcterms:created "2022-03-30T14:26:51.867Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for creation of access tokens using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.(Citation: Sygnia Golden SAML)"; | |
dcterms:modified "2022-04-14T20:00:36.648Z"^^xsd:dateTime . | |
:relationship--a19231c9-e6b4-4d3f-9c9d-f4e85cba5e3a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f74a5069-015d-4404-83ad-5ca01056c0dc; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2022-04-05T19:54:50.810Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lizar](https://attack.mitre.org/software/S0681) can download additional plugins, files, and tools.(Citation: BiZone Lizar May 2021)"; | |
dcterms:modified "2022-04-05T19:54:50.810Z"^^xsd:dateTime . | |
:relationship--ba2b3c40-f9d2-4663-a5bd-3bb158553572 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--abc5a1d4-f0dc-49d1-88a1-4a80e478bb03; | |
stix:target_ref :tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3; | |
dcterms:created "2021-11-24T21:30:58.058Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: MalwareBytes LazyScripter Feb 2021)"; | |
dcterms:modified "2021-11-24T21:30:58.058Z"^^xsd:dateTime . | |
:relationship--2f1588c1-16b9-4cb2-b94c-1756829183ae | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc; | |
stix:target_ref :attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b; | |
dcterms:created "2021-09-23T13:09:35.868Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FIN7](https://attack.mitre.org/groups/G0046) has used TightVNC to control compromised hosts.(Citation: CrowdStrike Carbon Spider August 2021)"; | |
dcterms:modified "2021-09-23T13:09:35.868Z"^^xsd:dateTime . | |
:relationship--e0c1c9b9-b36e-4157-8dc1-26cd9ae25193 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d; | |
dcterms:created "2019-09-24T12:31:43.678Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.(Citation: FireEye APT41 Aug 2019)"; | |
dcterms:modified "2023-03-23T15:27:10.550Z"^^xsd:dateTime . | |
:relationship--ef463100-ac00-44ab-805b-75e4c8886699 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f8774023-8021-4ece-9aca-383ac89d2759; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2021-01-25T13:58:25.241Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dtrack](https://attack.mitre.org/software/S0567)’s can download and upload a file to the victim’s computer.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)"; | |
dcterms:modified "2021-03-12T21:10:52.969Z"^^xsd:dateTime . | |
:relationship--b09cad27-7b44-4a57-adf8-dcbcb3cdcb0a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0852567d-7958-4f4b-8947-4f840ec8d57d; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2019-01-29T18:23:46.141Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[DOGCALL](https://attack.mitre.org/software/S0213) is encrypted using single-byte XOR.(Citation: Unit 42 Nokki Oct 2018)"; | |
dcterms:modified "2020-03-16T16:43:12.126Z"^^xsd:dateTime . | |
:relationship--553dbb57-1174-494c-9cfd-dbc83ecc74f6 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb; | |
stix:target_ref :attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[USBStealer](https://attack.mitre.org/software/S0136) sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.(Citation: ESET Sednit USBStealer 2014)"; | |
dcterms:modified "2020-03-11T17:45:54.124Z"^^xsd:dateTime . | |
:relationship--e3fe170d-55c7-4f98-9d39-6ee28403ce87 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4; | |
stix:target_ref :attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b; | |
dcterms:created "2020-10-02T16:55:16.136Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:course-of-action--aeff5887-8f9e-48d5-a523-9b395e2ce80a | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Credential Dumping Mitigation"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "### Windows\nMonitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using [Valid Accounts](https://attack.mitre.org/techniques/T1078) if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)\n\nOn Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)\n\nManage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)\n\nConsider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)\n\n### Linux\nScraping the passwords from memory requires root privileges. Follow best practices in restricting access to escalated privileges to avoid hostile programs from accessing such sensitive regions of memory."; | |
dcterms:modified "2021-08-23T20:25:19.916Z"^^xsd:dateTime . | |
:relationship--bb283a5e-7d61-4b33-aa30-e7c2f0bacbe6 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--39706d54-0d06-4a25-816a-78cc43455100; | |
stix:target_ref :attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec; | |
dcterms:created "2017-05-31T21:33:27.020Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--59c65423-347b-4a09-a24d-c228faaa5119 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a; | |
stix:target_ref :attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213; | |
dcterms:created "2020-10-15T12:05:58.908Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--9f89d00f-fc0f-4dbb-9b54-3553821bf7ef | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2019-01-30T18:02:59.294Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Night Dragon](https://attack.mitre.org/groups/G0014) has used HTTP for C2.(Citation: McAfee Night Dragon)"; | |
dcterms:modified "2022-10-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--9764e270-8c29-47c1-90c2-31f7d57a17c6 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--824add00-99a1-4b15-9a2d-6c5683b7b497; | |
dcterms:created "2022-03-30T14:26:51.845Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--4a0ee05d-f020-4811-bba6-56d12c15e275 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2; | |
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67; | |
dcterms:created "2020-03-18T18:01:36.710Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MuddyWater](https://attack.mitre.org/groups/G0069) has used VBScript files to execute its [POWERSTATS](https://attack.mitre.org/software/S0223) payload, as well as macros.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)"; | |
dcterms:modified "2022-09-28T19:34:31.102Z"^^xsd:dateTime . | |
:attack-pattern--43ba2b05-cf72-4b6c-8243-03a4aba41ee0 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Login Hook"; | |
dcterms:created "2020-01-10T16:01:15.995Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev) \n\nAdversaries can add or insert a path to a malicious script in the <code>com.apple.loginwindow.plist</code> file, using the <code>LoginHook</code> or <code>LogoutHook</code> key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--9267fe42-6290-4342-8024-38d703db4376 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--fb261c56-b80e-43a9-8351-c84081e7213d; | |
stix:target_ref :attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries can direct [BACKSPACE](https://attack.mitre.org/software/S0031) to upload files to the C2 Server.(Citation: FireEye APT30)"; | |
dcterms:modified "2020-03-17T00:19:38.020Z"^^xsd:dateTime . | |
:relationship--c7c1411a-42c8-4d7e-9b56-0465370759de | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--da5880b4-f7da-4869-85f2-e0aba84b8565; | |
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077; | |
dcterms:created "2020-12-11T20:13:44.830Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[ComRAT](https://attack.mitre.org/software/S0126) has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).(Citation: CISA ComRAT Oct 2020) "; | |
dcterms:modified "2020-12-23T19:34:12.439Z"^^xsd:dateTime . | |
:relationship--4bd59ceb-eb44-45c0-b775-3eaea3307455 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--35ee9bf3-264b-4411-8a8f-b58cec8f35e4; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2022-06-02T13:15:25.600Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[PowerLess](https://attack.mitre.org/software/S1012) can download additional payloads to a compromised host.(Citation: Cybereason PowerLess February 2022)"; | |
dcterms:modified "2022-06-02T19:51:49.818Z"^^xsd:dateTime . | |
:relationship--4b5948b4-eba5-4af6-93d1-71b109167f62 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8; | |
stix:target_ref :attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a; | |
dcterms:created "2019-10-08T19:55:33.729Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, administrators should perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. This should be done extensively on all applications in order to establish a baseline, followed up on with periodic audits of new or updated applications. Suspicious applications should be investigated and removed."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--bdb0d192-3d82-4e5b-92bc-7ef24fd3e65b | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--cb69b20d-56d0-41ab-8440-4a4b251614d4; | |
stix:target_ref :attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pupy](https://attack.mitre.org/software/S0192) uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.(Citation: GitHub Pupy)"; | |
dcterms:modified "2020-03-18T20:37:22.672Z"^^xsd:dateTime . | |
:relationship--7d8a984d-676d-47bf-a660-00c43ab49985 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--808d6b30-df4e-4341-8248-724da4bac650; | |
stix:target_ref :tool--afc079f3-c0ea-4096-b75d-3f05338b7f60; | |
dcterms:created "2023-03-26T22:03:54.870Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Microsoft 365 Defender Solorigate)(Citation: CrowdStrike StellarParticle January 2022)"; | |
dcterms:modified "2023-03-26T22:03:54.870Z"^^xsd:dateTime . | |
:relationship--02eba953-12a6-434a-bc67-2337864cf560 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c984b414-b766-44c5-814a-2fe96c913c12; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2020-07-16T15:23:48.759Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Kessel](https://attack.mitre.org/software/S0487)'s configuration is hardcoded and RC4 encrypted within the binary.(Citation: ESET ForSSHe December 2018)"; | |
dcterms:modified "2020-07-16T15:23:48.759Z"^^xsd:dateTime . | |
:relationship--9f62c4e4-02d4-497b-8039-cc4e816386a5 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a; | |
stix:target_ref :tool--5a63f900-5e7e-4928-a746-dd4558e1df71; | |
dcterms:created "2017-05-31T21:33:27.070Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Novetta Blockbuster Loaders)"; | |
dcterms:modified "2019-12-20T14:28:39.536Z"^^xsd:dateTime . | |
:relationship--0fc8acc1-9751-4578-8f0e-29a8f0ef5cc8 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e; | |
stix:target_ref :attack-pattern--6ff403bc-93e3-48be-8687-e102fdba8c88; | |
dcterms:created "2019-04-15T20:57:46.690Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) uses UPX to pack their macOS backdoor."; | |
dcterms:modified "2019-10-23T14:19:37.289Z"^^xsd:dateTime . | |
:relationship--25527270-616e-4c53-a85a-03fc0b1e9a96 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af; | |
stix:target_ref :attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317; | |
dcterms:created "2022-08-19T19:49:03.537Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[EXOTIC LILY](https://attack.mitre.org/groups/G1011) has used the e-mail notification features of legitimate file sharing services for spearphishing.(Citation: Google EXOTIC LILY March 2022)"; | |
dcterms:modified "2022-08-19T19:49:03.537Z"^^xsd:dateTime . | |
:relationship--731d14c6-a141-4e71-ac61-c344636e13d5 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90; | |
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) compromised three Japanese websites using a Flash exploit to perform watering hole attacks.(Citation: Symantec Tick Apr 2016)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--91eab726-0a0c-4898-8376-66987fd1037c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--9af05de0-bc09-4511-a350-5eb8b06185c1; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2019-01-29T21:33:34.617Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BadPatch](https://attack.mitre.org/software/S0337) can download and execute or update malware.(Citation: Unit 42 BadPatch Oct 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--14e02371-ba11-459d-9662-188e85d3cf7c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4e9bdf9a-4957-47f6-87b3-c76898d3f623; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2021-11-12T19:02:16.541Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Diavol](https://attack.mitre.org/software/S0659) can collect the username from a compromised host.(Citation: Fortinet Diavol July 2021)"; | |
dcterms:modified "2022-03-09T17:40:40.609Z"^^xsd:dateTime . | |
:relationship--164aec0b-1e3e-4e79-b9c3-43d602a1674a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--aaf3fa65-8b27-4e68-91de-2b7738fe4c82; | |
stix:target_ref :attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0; | |
dcterms:created "2019-06-18T17:20:43.762Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[JCry](https://attack.mitre.org/software/S0389) has encrypted files and demanded Bitcoin to decrypt those files. (Citation: Carbon Black JCry May 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--3a9abcd5-52ba-44f1-96a5-1593f816b9f0 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ccd61dfc-b03f-4689-8c18-7c97eab08472; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Various implementations of [CHOPSTICK](https://attack.mitre.org/software/S0023) communicate with C2 over HTTP.(Citation: ESET Sednit Part 2)"; | |
dcterms:modified "2020-03-17T00:35:36.650Z"^^xsd:dateTime . | |
:relationship--2d7d8a67-c32a-4054-9680-6ecae87ded68 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc; | |
stix:target_ref :attack-pattern--df1bc34d-1634-4c93-b89e-8120994fce77; | |
dcterms:created "2022-07-08T12:46:35.590Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. "; | |
dcterms:modified "2022-07-08T12:46:35.590Z"^^xsd:dateTime . | |
:relationship--283ba525-5180-461a-989b-87fc2f896ed7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--11e36d5b-6a92-4bf9-8eb7-85eb24f59e22; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[KEYMARBLE](https://attack.mitre.org/software/S0271) can execute shell commands using cmd.exe.(Citation: US-CERT KEYMARBLE Aug 2018)"; | |
dcterms:modified "2020-03-20T02:14:26.689Z"^^xsd:dateTime . | |
:relationship--b69424ec-3af6-44aa-842a-81fba219b9f4 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383; | |
stix:target_ref :attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082; | |
dcterms:created "2017-05-31T21:33:27.047Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Darkhotel](https://attack.mitre.org/groups/G0012) has used code-signing certificates on its malware that are either forged due to weak keys or stolen. [Darkhotel](https://attack.mitre.org/groups/G0012) has also stolen certificates and signed backdoors and downloaders with them.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)"; | |
dcterms:modified "2020-03-16T20:05:43.409Z"^^xsd:dateTime . | |
:relationship--4a942244-9b88-43d0-9a1c-c0277e7903e8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4efc3e00-72f2-466a-ab7c-8a7dc6603b19; | |
stix:target_ref :attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2; | |
dcterms:created "2021-01-19T21:06:07.795Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Raindrop](https://attack.mitre.org/software/S0565) was installed under names that resembled legitimate Windows file and directory names.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)"; | |
dcterms:modified "2021-01-25T18:23:23.380Z"^^xsd:dateTime . | |
:relationship--6017ff5f-e522-45fe-857a-e4fef38a6349 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--a7881f21-e978-4fe4-af56-92c9416a2616; | |
stix:target_ref :attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa; | |
dcterms:created "2021-05-17T19:26:45.791Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) can enumerate services on compromised hosts.(Citation: Cobalt Strike Manual 4.3 November 2020)"; | |
dcterms:modified "2021-10-18T19:54:13.323Z"^^xsd:dateTime . | |
:relationship--1e0fdaa6-7a6f-4bd6-a1ef-3ee85d1d89b2 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2019-06-07T14:53:09.049Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ixeshe](https://attack.mitre.org/software/S0015) can list running processes.(Citation: Trend Micro IXESHE 2012)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--2325c0b2-fb89-44e1-9206-e495811f2907 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a; | |
stix:target_ref :attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27; | |
dcterms:created "2017-05-31T21:33:27.066Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)"; | |
dcterms:modified "2022-07-28T18:55:36.001Z"^^xsd:dateTime . | |
:relationship--162a051d-a551-4b8c-875a-75264768e541 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--9ea525fa-b0a9-4dde-84f2-bcea0137b3c1; | |
stix:target_ref :attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MoonWind](https://attack.mitre.org/software/S0149) installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.(Citation: Palo Alto MoonWind March 2017)"; | |
dcterms:modified "2020-03-20T17:34:12.521Z"^^xsd:dateTime . | |
:relationship--d18f30d7-deca-457c-b993-c87843ae3bab | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--c21dd6f1-1364-4a70-a1f7-783080ec34ee; | |
stix:target_ref :tool--2f7f03bb-f367-4a5a-ad9b-310a12a48906; | |
dcterms:created "2023-09-14T18:58:53.520Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: CrowdStrike PIONEER KITTEN August 2020)"; | |
dcterms:modified "2023-09-14T18:58:53.520Z"^^xsd:dateTime . | |
:relationship--7a2f70b7-7b6e-4c05-8f71-42a494b055ce | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27; | |
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Gorgon Group](https://attack.mitre.org/groups/G0078) sent emails to victims with malicious Microsoft Office documents attached.(Citation: Unit 42 Gorgon Group Aug 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--eaaa3ad9-1bac-4355-901a-7ea888ab4bdc | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312; | |
stix:target_ref :attack-pattern--6e6845c2-347a-4a6f-a2d1-b74a18ebd352; | |
dcterms:created "2019-06-25T12:42:56.899Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key <code>HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL</code> to <code>dword:00000001</code>. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--1cd41777-3d65-4e39-8de7-3951d1568c16 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2020-05-19T17:32:26.498Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Agent Tesla](https://attack.mitre.org/software/S0331) has been executed through malicious e-mail attachments (Citation: Bitdefender Agent Tesla April 2020)"; | |
dcterms:modified "2020-05-20T13:38:07.117Z"^^xsd:dateTime . | |
:relationship--d0b1714b-a9d5-4450-9200-337d164dc897 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924; | |
stix:target_ref :attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7; | |
dcterms:created "2019-01-29T20:17:49.356Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has leveraged the BITSadmin command-line tool to create a job and launch a malicious process."; | |
dcterms:modified "2019-10-23T14:19:37.289Z"^^xsd:dateTime . | |
:relationship--fa27f615-56c5-4089-bcda-657999868e53 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce; | |
stix:target_ref :attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63; | |
dcterms:created "2020-07-17T17:34:21.437Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.(Citation: ESET InvisiMole June 2020)"; | |
dcterms:modified "2020-08-17T14:08:27.413Z"^^xsd:dateTime . | |
:relationship--a6350331-0c0d-4d0d-90a3-d5cc3e420875 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70; | |
stix:target_ref :attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611; | |
dcterms:created "2019-04-23T15:51:37.516Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[China Chopper](https://attack.mitre.org/software/S0020)'s server component can change the timestamp of files.(Citation: FireEye Periscope March 2018)(Citation: Lee 2013)(Citation: NCSC Joint Report Public Tools)"; | |
dcterms:modified "2021-01-25T15:43:46.040Z"^^xsd:dateTime . | |
:relationship--d7c40b1d-efe6-4869-9754-6494d45f51f1 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--95047f03-4811-4300-922e-1ba937d53a61; | |
stix:target_ref :attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Hikit](https://attack.mitre.org/software/S0009) supports peer connections.(Citation: Novetta-Axiom)"; | |
dcterms:modified "2023-03-20T22:03:44.687Z"^^xsd:dateTime . | |
:relationship--70b1afda-98b8-4c7c-ad41-ceb2b45af5d4 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7e0f8b0f-716e-494d-827e-310bd6ed709e; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2021-10-14T16:29:19.187Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used <code>reg.exe</code> to create a Registry Run key.(Citation: FireEye SMOKEDHAM June 2021)"; | |
dcterms:modified "2021-10-14T16:29:19.187Z"^^xsd:dateTime . | |
:relationship--72d641a0-126d-4bb2-98de-9f8ec46a8d9d | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a; | |
stix:target_ref :attack-pattern--6a5d222a-a7e0-4656-b110-782c33098289; | |
dcterms:created "2023-09-08T19:21:18.129Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.(Citation: CISA Phishing)"; | |
dcterms:modified "2023-09-08T20:31:23.077Z"^^xsd:dateTime . | |
:relationship--a4ceb321-f21d-4c62-9b49-cb0c64f0008e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--80a014ba-3fef-4768-990b-37d8bd10d7f4; | |
stix:target_ref :attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc; | |
dcterms:created "2023-06-23T20:07:13.475Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Uroburos](https://attack.mitre.org/software/S0022) can use custom communication methodologies that ride over common protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. (Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)"; | |
dcterms:modified "2023-06-23T20:07:13.475Z"^^xsd:dateTime . | |
:relationship--19bede58-549b-4e7d-b206-6045370b9995 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2021-10-01T01:57:31.664Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has added batch scripts to the startup folder.(Citation: ATT TeamTNT Chimaera September 2020)"; | |
dcterms:modified "2021-10-12T18:18:25.376Z"^^xsd:dateTime . | |
:relationship--41ca57db-9736-4adf-ac5d-ea2be2ab4860 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae; | |
stix:target_ref :attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54; | |
dcterms:created "2020-10-13T22:33:14.086Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT17](https://attack.mitre.org/groups/G0025) has created profile pages in Microsoft TechNet that were used as C2 infrastructure.(Citation: FireEye APT17)"; | |
dcterms:modified "2020-10-13T22:33:14.086Z"^^xsd:dateTime . | |
:relationship--e28ddc1d-83a4-4382-a4dc-e55a60aa399d | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--11194d8b-fdce-45d2-8047-df15bb8f16bd; | |
stix:target_ref :attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c; | |
dcterms:created "2019-08-26T13:02:46.951Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Exaramel for Linux](https://attack.mitre.org/software/S0401) uses crontab for persistence if it does not have root privileges.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021)"; | |
dcterms:modified "2021-03-31T15:43:38.134Z"^^xsd:dateTime . | |
:relationship--324a715b-5d89-41a1-957e-3214badee119 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973; | |
stix:target_ref :attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3; | |
dcterms:created "2022-01-07T15:57:14.853Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Axiom](https://attack.mitre.org/groups/G0001) has used large groups of compromised machines for use as proxy nodes.(Citation: Novetta-Axiom)"; | |
dcterms:modified "2023-03-20T22:03:44.676Z"^^xsd:dateTime . | |
:relationship--08e9dd54-cd91-440e-84d0-f86494ad0a3a | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31; | |
stix:target_ref :attack-pattern--215190a9-9f02-4e83-bb5f-e0589965a302; | |
dcterms:created "2019-06-24T19:32:19.533Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Regsvcs and Regasm may not be necessary within a given environment."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--93b08370-9c05-47df-b067-368343dba24a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8ec6e3b4-b06d-4805-b6aa-af916acc2122; | |
stix:target_ref :attack-pattern--29be378d-262d-4e99-b00d-852d573628e6; | |
dcterms:created "2019-04-18T00:26:13.521Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RogueRobin](https://attack.mitre.org/software/S0270) uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)"; | |
dcterms:modified "2020-03-16T18:30:11.263Z"^^xsd:dateTime . | |
:relationship--7bd145ae-5ad2-48cc-8438-5b9ec8ed5414 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--d18cb958-f4ad-4fb3-bb4f-e8994d206550; | |
stix:target_ref :attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c; | |
dcterms:created "2021-03-11T16:52:13.976Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Penquin](https://attack.mitre.org/software/S0587) can use Cron to create periodic and pre-scheduled background jobs.(Citation: Leonardo Turla Penquin May 2020)"; | |
dcterms:modified "2022-09-28T21:27:07.139Z"^^xsd:dateTime . | |
:relationship--4762aa33-bcb3-49d4-b565-f8374cb9c996 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba; | |
stix:target_ref :attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd; | |
dcterms:created "2022-03-30T14:26:51.841Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows (e.g. unusual network communications or suspicious communications sending fixed size data packets at regular intervals as well as unusually long connection patterns). Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, protocol port mismatch, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated"; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--8a86cd72-8386-4c75-8362-7b9020add12b | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fd66436e-4d33-450e-ac4c-f7810f1c85f4; | |
stix:target_ref :attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e; | |
dcterms:created "2023-07-28T17:52:58.109Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FIN13](https://attack.mitre.org/groups/G1016) has used the PowerShell utility `Invoke-SMBExec` to execute the pass the hash method for lateral movement within an compromised environment.(Citation: Mandiant FIN13 Aug 2022)"; | |
dcterms:modified "2023-10-03T14:35:01.966Z"^^xsd:dateTime . | |
:relationship--0b37289c-b118-45f7-98b2-5efe06cbf0b2 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2020-06-02T15:39:14.548Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[CARROTBAT](https://attack.mitre.org/software/S0462) has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)"; | |
dcterms:modified "2020-06-10T15:05:57.806Z"^^xsd:dateTime . | |
:relationship--720cc0d6-9285-425b-bda2-3bdd59b4ea8f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--495b6cdb-7b5a-4fbc-8d33-e7ef68806d08; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Volgmer](https://attack.mitre.org/software/S0180) can download remote files and additional payloads to the victim's machine.(Citation: US-CERT Volgmer Nov 2017)(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014)"; | |
dcterms:modified "2023-03-26T20:40:35.185Z"^^xsd:dateTime . | |
:relationship--ea8e9109-739f-485c-8d13-fb5ed6b2fdcd | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--959f3b19-2dc8-48d5-8942-c66813a5101a; | |
stix:target_ref :attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada; | |
dcterms:created "2020-09-29T19:16:57.927Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[WellMail](https://attack.mitre.org/software/S0515) can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)"; | |
dcterms:modified "2020-09-30T15:07:31.159Z"^^xsd:dateTime . | |
:relationship--f4a0f496-b47c-4bdf-affb-b57fb17203db | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2019-01-31T01:07:58.711Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT32](https://attack.mitre.org/groups/G0050) established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--2355c588-ff82-4eaf-82db-54af59ede582 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--fde50aaa-f5de-4cb8-989a-babb57d6a704; | |
stix:target_ref :attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Net Crawler](https://attack.mitre.org/software/S0056) uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.(Citation: Cylance Cleaver)"; | |
dcterms:modified "2022-07-22T18:37:22.187Z"^^xsd:dateTime . | |
:relationship--401790f5-abf5-4523-ac98-b200d3b34a7e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--edc5e045-5401-42bb-ad92-52b5b2ee0de9; | |
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077; | |
dcterms:created "2021-09-30T14:01:31.859Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QakBot](https://attack.mitre.org/software/S0650) can identify the system time on a targeted host.(Citation: Kaspersky QakBot September 2021)"; | |
dcterms:modified "2021-09-30T14:01:31.859Z"^^xsd:dateTime . | |
:relationship--5ef4206d-aaa0-47c4-bed2-9c803a9d4585 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21; | |
dcterms:created "2022-03-30T14:26:51.859Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor executed commands and arguments that may abuse Microsoft Office templates to obtain persistence on a compromised system."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--f9600732-9116-4325-8073-28d81721b37a | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f; | |
stix:target_ref :tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)"; | |
dcterms:modified "2023-03-23T15:14:18.653Z"^^xsd:dateTime . | |
:relationship--cbfb1a32-4582-4ecb-8a0e-4c76caaa5063 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--3fc023b2-c5cc-481d-9c3e-70141ae1a87e; | |
stix:target_ref :attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597; | |
dcterms:created "2021-01-27T16:43:48.406Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sidewinder](https://attack.mitre.org/groups/G0121) has sent e-mails with malicious attachments often crafted for specific targets.(Citation: ATT Sidewinder January 2021)"; | |
dcterms:modified "2021-04-06T22:07:34.012Z"^^xsd:dateTime . | |
:relationship--da331399-4c9f-4a16-92b1-97e635703c18 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321; | |
stix:target_ref :tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153; | |
dcterms:created "2020-05-06T03:13:43.392Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Group IB Silence Sept 2018)"; | |
dcterms:modified "2020-05-06T03:13:43.392Z"^^xsd:dateTime . | |
:relationship--4269342d-fd7b-4fc6-882f-5099da627c85 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924; | |
stix:target_ref :attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d; | |
dcterms:created "2019-01-29T20:17:49.308Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has created a hidden directory under <code>C:\\ProgramData\\Apple\\Updates\\</code> and <code>C:\\Users\\Public\\Documents\\Flash\\</code>.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)"; | |
dcterms:modified "2020-05-21T14:55:00.348Z"^^xsd:dateTime . | |
:relationship--cce47265-080f-4148-b9c9-cd99eb1e2b2f | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb; | |
stix:target_ref :attack-pattern--02fefddc-fb1b-423f-a76b-7552dd211d4d; | |
dcterms:created "2019-06-13T16:49:49.549Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process) (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--ad87ebba-c4fc-458a-8ccd-c1cbd16ae14d | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f; | |
stix:target_ref :attack-pattern--f4c1826f-a322-41cd-9557-562100848c84; | |
dcterms:created "2022-09-28T13:29:53.437Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description ""; | |
dcterms:modified "2022-09-28T13:29:53.437Z"^^xsd:dateTime . | |
:relationship--6b1cc49f-8d94-4f59-a723-2a70c3edf760 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad; | |
stix:target_ref :attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334; | |
dcterms:created "2020-05-26T16:17:59.430Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Rocke](https://attack.mitre.org/groups/G0106) has installed an \"init.d\" startup script to maintain persistence.(Citation: Anomali Rocke March 2019)\t"; | |
dcterms:modified "2020-06-11T19:52:07.425Z"^^xsd:dateTime . | |
:relationship--553aadc2-8c1c-4ad7-b974-c65f99f6a892 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31; | |
stix:target_ref :attack-pattern--a3e1e6c5-9c74-4fc0-a16c-a9d228c17829; | |
dcterms:created "2020-03-11T13:50:57.110Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)"; | |
dcterms:modified "2021-10-15T22:48:29.655Z"^^xsd:dateTime . | |
:relationship--3359cfe3-0d04-4fb8-9f2f-1b049bc10cf4 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c; | |
stix:target_ref :attack-pattern--6aabc5ec-eae6-422c-8311-38d45ee9838a; | |
dcterms:created "2019-06-25T11:24:45.251Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--561ccbcd-578f-4af2-81aa-8594796b6909 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317; | |
stix:target_ref :attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd; | |
dcterms:created "2022-05-27T13:54:57.722Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In AWS environments, prohibit users from calling the `sts:GetFederationToken` API unless explicitly required.(Citation: Crowdstrike AWS User Federation Persistence)"; | |
dcterms:modified "2023-03-10T17:27:50.449Z"^^xsd:dateTime . | |
:malware--d906e6f7-434c-44c0-b51a-ed50af8f7945 | |
rdf:type stix:Malware; | |
rdfs:label "njRAT"; | |
dcterms:created "2019-06-04T17:52:28.806Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)"; | |
dcterms:modified "2023-09-20T20:03:22.206Z"^^xsd:dateTime . | |
:relationship--54f6c1c8-f3c7-44a6-9a00-2195e03cf0ae | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7; | |
stix:target_ref :attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5; | |
dcterms:created "2021-10-08T19:01:06.111Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT41](https://attack.mitre.org/groups/G0096) has uploaded files and data from a compromised host.(Citation: Group IB APT 41 June 2021)"; | |
dcterms:modified "2023-03-23T15:45:58.852Z"^^xsd:dateTime . | |
:relationship--67b49860-e1e4-4b56-bf83-108c4ac25e5c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[MiniDuke](https://attack.mitre.org/software/S0051) can download additional encrypted backdoors onto the victim via GIF files.(Citation: Securelist MiniDuke Feb 2013)(Citation: ESET Dukes October 2019)"; | |
dcterms:modified "2020-10-09T16:07:58.859Z"^^xsd:dateTime . | |
:relationship--ccd237b6-c7d6-4941-a1f2-cb563ae90b79 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5; | |
stix:target_ref :attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TYPEFRAME](https://attack.mitre.org/software/S0263) has used a malicious Word document for delivery with VBA macros for execution.(Citation: US-CERT TYPEFRAME June 2018)"; | |
dcterms:modified "2020-06-23T20:40:40.910Z"^^xsd:dateTime . | |
:relationship--951774ce-173c-4aaf-a6e3-515ba497d523 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--2688b13e-8e71-405a-9c40-0dee94bddf87; | |
stix:target_ref :malware--5a3a31fe-5a8f-48e1-bff0-a753e5b1be70; | |
dcterms:created "2021-03-04T14:47:27.385Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Volexity Exchange Marauder March 2021)(Citation: FireEye Exchange Zero Days March 2021)(Citation: Rapid7 HAFNIUM Mar 2021)"; | |
dcterms:modified "2023-02-21T18:34:35.421Z"^^xsd:dateTime . | |
:relationship--a0e4dc2c-1977-4c4c-a5ee-4710fb3ef1a5 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--80a014ba-3fef-4768-990b-37d8bd10d7f4; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2023-06-22T20:48:11.495Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Uroburos](https://attack.mitre.org/software/S0022) has the ability to gather basic system information and run the POSIX API `gethostbyname`.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)"; | |
dcterms:modified "2023-06-23T20:24:02.395Z"^^xsd:dateTime . | |
:relationship--a3de3705-8085-4992-9b90-1cb8ef532b5c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "APT28 has queried information on machines to determine the current user or system owner ."; | |
dcterms:modified "2018-10-23T00:14:20.652Z"^^xsd:dateTime . | |
:relationship--9e27c930-eba5-467f-90e5-4ec5b4219735 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d; | |
stix:target_ref :attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8; | |
dcterms:created "2019-06-24T19:11:41.147Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TA505](https://attack.mitre.org/groups/G0092) has used malware to gather credentials from Internet Explorer.(Citation: Proofpoint TA505 Sep 2017)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--5926c79d-b8a7-419a-b789-7e2ff1ee32b9 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07; | |
stix:target_ref :attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c; | |
dcterms:created "2021-10-13T22:50:48.785Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Indrik Spider](https://attack.mitre.org/groups/G0119) has stored collected date in a .tmp file.(Citation: Symantec WastedLocker June 2020)"; | |
dcterms:modified "2021-10-13T22:50:48.785Z"^^xsd:dateTime . | |
:relationship--cc705bf0-ba29-443e-9cd5-aef247505210 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9; | |
stix:target_ref :attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT3](https://attack.mitre.org/groups/G0022) places scripts in the startup folder for persistence.(Citation: FireEye Operation Double Tap)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:course-of-action--9e57c770-5a39-49a2-bb91-253ba629e3ac | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Security Support Provider Mitigation"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code>, which requires all SSP DLLs to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)"; | |
dcterms:modified "2019-07-25T11:41:39.946Z"^^xsd:dateTime . | |
:relationship--03981d0c-c7d5-4a65-bd8f-1b1a2c1efe2a | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a; | |
stix:target_ref :attack-pattern--c9e0c59e-162e-40a4-b8b1-78fab4329ada; | |
dcterms:created "2023-08-08T19:29:17.546Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Train users to be aware of impersonation tricks and how to counter them, for example confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk."; | |
dcterms:modified "2023-08-23T14:27:47.649Z"^^xsd:dateTime . | |
:relationship--913c67d5-0c5b-40d5-be88-6ce4e5030603 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--54895630-efd2-4608-9c24-319de972a9eb; | |
stix:target_ref :attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d; | |
dcterms:created "2020-06-30T00:18:39.805Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables [Ragnar Locker](https://attack.mitre.org/software/S0481) to encrypt files on the host operating system, including files on any mapped drives.(Citation: Sophos Ragnar May 2020)"; | |
dcterms:modified "2020-06-30T00:18:39.805Z"^^xsd:dateTime . | |
:relationship--79958f80-16ca-4287-b691-9c748d6baf66 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f36b2598-515f-4345-84e5-5ccde253edbe; | |
stix:target_ref :attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dok](https://attack.mitre.org/software/S0281) uses AppleScript to create a login item for persistence.(Citation: objsee mac malware 2017)"; | |
dcterms:modified "2020-01-17T19:39:11.377Z"^^xsd:dateTime . | |
:relationship--f5faa97f-761c-4978-8535-2d9a42fcdd6f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407; | |
stix:target_ref :attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c; | |
dcterms:created "2019-06-05T17:31:22.338Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ursnif](https://attack.mitre.org/software/S0386) has copied itself to and infected files in network drives for propagation.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro Ursnif File Dec 2014)"; | |
dcterms:modified "2019-10-23T14:19:37.289Z"^^xsd:dateTime . | |
:relationship--b6cbc9b8-f547-414a-8fb8-b493128c533e | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317; | |
stix:target_ref :attack-pattern--c0a384a4-9a25-40e1-97b6-458388474bc8; | |
dcterms:created "2019-07-18T15:32:39.956Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--2ddb50ab-4c8e-41e6-ba3f-d7718c66f0d5 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--fd66436e-4d33-450e-ac4c-f7810f1c85f4; | |
stix:target_ref :attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb; | |
dcterms:created "2023-07-28T17:51:43.218Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[FIN13](https://attack.mitre.org/groups/G1016) has utilized obfuscated and open-source web shells such as JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2 to enable remote code execution and to execute commands on compromised web server.(Citation: Sygnia Elephant Beetle Jan 2022)"; | |
dcterms:modified "2023-10-03T13:54:16.192Z"^^xsd:dateTime . | |
:relationship--8eda78b8-3fd5-4c97-878d-bf2eaa0aa9b5 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e; | |
dcterms:created "2022-03-30T14:26:51.855Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for newly constructed processes and/or command-lines for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39 | |
rdf:type stix:Tool; | |
rdfs:label "Cobalt Strike"; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)"; | |
dcterms:modified "2020-11-12T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--33a382a9-ebb3-48d9-bb7e-394a27783668 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2019-01-29T14:51:06.825Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[gh0st RAT](https://attack.mitre.org/software/S0032) can download files to the victim’s machine.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019)"; | |
dcterms:modified "2021-03-29T19:49:11.254Z"^^xsd:dateTime . | |
:relationship--e32b53b5-b112-483a-8d95-56bf3f43671f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee; | |
stix:target_ref :attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[CosmicDuke](https://attack.mitre.org/software/S0050) uses scheduled tasks typically named \"Watchmon Service\" for persistence.(Citation: F-Secure Cosmicduke)"; | |
dcterms:modified "2021-07-20T21:57:36.216Z"^^xsd:dateTime . | |
:relationship--2161578b-44ef-4c44-90ad-2ee8920a3db8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2021-10-01T21:53:33.660Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BLUELIGHT](https://attack.mitre.org/software/S0657) can download additional files onto the host.(Citation: Volexity InkySquid BLUELIGHT August 2021) "; | |
dcterms:modified "2021-10-15T16:54:01.153Z"^^xsd:dateTime . | |
:attack-pattern--ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Office Test"; | |
dcterms:created "2019-11-07T19:44:04.475Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\n\nThere exist user and global Registry keys for the Office Test feature:\n\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf</code>\n\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--67f7ebd0-effb-4169-a184-7d45c614a6ee | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--1f0f9a14-11aa-49aa-9174-bcd0eaa979de; | |
stix:target_ref :attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34; | |
dcterms:created "2021-01-27T21:26:53.151Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Evilnum](https://attack.mitre.org/groups/G0120) has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.(Citation: ESET EvilNum July 2020) "; | |
dcterms:modified "2021-01-27T21:26:53.151Z"^^xsd:dateTime . | |
:relationship--aa84d43a-4f79-485c-95ea-a375d5f52838 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--808d6b30-df4e-4341-8248-724da4bac650; | |
stix:target_ref :attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee; | |
dcterms:created "2023-03-26T19:11:10.948Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.(Citation: Microsoft Deep Dive Solorigate January 2021)"; | |
dcterms:modified "2023-03-26T19:11:10.948Z"^^xsd:dateTime . | |
:relationship--88d72a6e-091f-48ff-9ad4-fd05d748d956 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af; | |
stix:target_ref :attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a; | |
dcterms:created "2022-08-18T18:52:33.003Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[EXOTIC LILY](https://attack.mitre.org/groups/G1011) has created e-mail accounts to spoof targeted organizations.(Citation: Google EXOTIC LILY March 2022)"; | |
dcterms:modified "2022-08-18T18:52:33.003Z"^^xsd:dateTime . | |
:relationship--e0e8cd30-04d6-457c-b4c1-34145f182dad | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034; | |
stix:target_ref :attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4; | |
dcterms:created "2022-07-01T20:25:23.375Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Earth Lusca](https://attack.mitre.org/groups/G1006) has scanned for vulnerabilities in the public-facing servers of their targets.(Citation: TrendMicro EarthLusca 2022)"; | |
dcterms:modified "2022-07-01T20:25:23.375Z"^^xsd:dateTime . | |
:relationship--ee38932c-ab04-4ac5-9ca3-d14cc98f5476 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13; | |
stix:target_ref :attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055; | |
dcterms:created "2022-05-26T15:17:44.884Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Magic Hound](https://attack.mitre.org/groups/G0059) has used a tool to run `cmd /c wmic computersystem get domain` for discovery.(Citation: DFIR Report APT35 ProxyShell March 2022)"; | |
dcterms:modified "2022-06-02T19:50:45.611Z"^^xsd:dateTime . | |
:relationship--4c2924c1-dec5-4390-87d7-c52e24a92512 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662; | |
stix:target_ref :attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619; | |
dcterms:created "2019-01-30T15:33:07.517Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT1](https://attack.mitre.org/groups/G0006) used a batch script to perform a series of discovery techniques and saves it to a text file.(Citation: Mandiant APT1)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--c965212c-f60d-4814-97ce-bbbb83382703 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--bf91faa8-0049-4870-810a-4df55e0b77ee; | |
stix:target_ref :attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58; | |
dcterms:created "2022-03-30T14:26:51.870Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)"; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--54aae76b-14fe-47e9-86c8-bd39317429c3 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--467271fd-47c0-4e90-a3f9-d84f5cf790d0; | |
stix:target_ref :attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0; | |
dcterms:created "2023-09-18T20:45:37.266Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "\n[TA2541](https://attack.mitre.org/groups/G1018) has used commodity remote access tools.(Citation: Cisco Operation Layover September 2021)\n"; | |
dcterms:modified "2023-09-18T20:45:37.266Z"^^xsd:dateTime . | |
:relationship--e8805949-55f7-47cd-965c-2edd4221da12 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--93289ecf-4d15-4d6b-a9c3-4ab27e145ef4; | |
stix:target_ref :attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896; | |
dcterms:created "2023-05-23T20:31:31.136Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QUIETCANARY](https://attack.mitre.org/software/S1076) has the ability to retrieve information from the Registry.(Citation: Mandiant Suspected Turla Campaign February 2023)"; | |
dcterms:modified "2023-05-23T20:31:31.136Z"^^xsd:dateTime . | |
:relationship--8a2a174b-c45c-4241-b773-c3d42513223d | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7; | |
dcterms:created "2022-03-30T14:26:51.871Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor processes and arguments for malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:malware--f931a0b9-0361-4b1b-bacf-955062c35746 | |
rdf:type stix:Malware; | |
rdfs:label "Seth-Locker"; | |
dcterms:created "2021-08-13T14:57:39.387Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Seth-Locker](https://attack.mitre.org/software/S0639) is a ransomware with some remote control capabilities that has been in use since at least 2021.\n(Citation: Trend Micro Ransomware February 2021)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--26303f07-87f0-4740-b6ea-e81e8c01b267 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--3161d76a-e2b2-4b97-9906-24909b735386; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2020-05-26T20:33:11.754Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to decrypt the loader configuration and payload DLL.(Citation: CheckPoint Naikon May 2020)"; | |
dcterms:modified "2020-05-26T20:33:11.754Z"^^xsd:dateTime . | |
:relationship--4c44fea9-545c-4d2f-a5e9-caee38ee65b4 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62; | |
stix:target_ref :attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5; | |
dcterms:created "2019-04-16T12:57:12.888Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SamSam](https://attack.mitre.org/software/S0370) has used garbage code to pad some of its malware components.(Citation: Sophos SamSam Apr 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--6a289837-2455-471b-81e4-b677550ab77b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8e101fdd-9f7f-4916-bb04-6bd9e94c129c; | |
stix:target_ref :attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[OopsIE](https://attack.mitre.org/software/S0264) checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.(Citation: Unit 42 OilRig Sept 2018)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--3a26d78f-e0cb-4a58-8d84-6d867b32f279 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--00806466-754d-44ea-ad6f-0caf59cb8556; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2021-09-28T22:45:48.678Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TrickBot](https://attack.mitre.org/software/S0266) has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. \n (Citation: Bitdefender Trickbot VNC module Whitepaper 2021)"; | |
dcterms:modified "2022-11-30T22:45:32.492Z"^^xsd:dateTime . | |
:relationship--96667f6c-e625-4696-92b5-d65d142b3f43 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f36b2598-515f-4345-84e5-5ccde253edbe; | |
stix:target_ref :attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b; | |
dcterms:created "2021-10-06T02:04:09.775Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dok](https://attack.mitre.org/software/S0281) exfiltrates logs of its execution stored in the <code>/tmp</code> folder over FTP using the <code>curl</code> command.(Citation: hexed osx.dok analysis 2019) "; | |
dcterms:modified "2021-10-09T19:14:07.293Z"^^xsd:dateTime . | |
:relationship--4bf364ad-1e9c-4860-93c0-241da4c81068 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8c553311-0baa-4146-997a-f79acef3d831; | |
stix:target_ref :attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RARSTONE](https://attack.mitre.org/software/S0055) downloads its backdoor component from a C2 server and loads it directly into memory.(Citation: Aquino RARSTONE)"; | |
dcterms:modified "2020-03-16T19:06:33.151Z"^^xsd:dateTime . | |
:relationship--731acc34-e9c3-4953-a743-7941bc73c0d2 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71; | |
stix:target_ref :tool--03342581-f790-4f03-ba41-e82e67392e23; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: US-CERT TA18-074A)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--9873626b-74e8-456d-9e34-95a313daa27b | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--66b1dcde-17a0-4c7b-95fa-b08d430c2131; | |
stix:target_ref :attack-pattern--deb98323-e13f-4b0c-8d94-175379069062; | |
dcterms:created "2022-09-30T20:15:22.218Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Some [S-Type](https://attack.mitre.org/software/S0085) samples have been packed with UPX.(Citation: Cylance Dust Storm)"; | |
dcterms:modified "2022-09-30T20:15:22.218Z"^^xsd:dateTime . | |
:relationship--89544a80-5144-443a-9560-ab8b7a87fa96 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--4816d361-f82b-4a18-aa05-b215e7cf9200; | |
stix:target_ref :attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6; | |
dcterms:created "2023-08-17T17:17:55.488Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QUIETEXIT](https://attack.mitre.org/software/S1084) can use an inverse negotiated SSH connection as part of its C2.(Citation: Mandiant APT29 Eye Spy Email Nov 22)"; | |
dcterms:modified "2023-10-10T17:09:38.929Z"^^xsd:dateTime . | |
:relationship--935f9bb6-d38d-42d1-a764-6b5110ad5364 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90; | |
stix:target_ref :attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)"; | |
dcterms:modified "2020-06-24T01:27:31.912Z"^^xsd:dateTime . | |
:relationship--93656c66-acfc-43b4-af66-bf328256b7b8 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--94873029-f950-4268-9cfd-5032e15cb182; | |
stix:target_ref :attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd; | |
dcterms:created "2021-03-19T21:04:01.269Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TA551](https://attack.mitre.org/groups/G0127) has used a DGA to generate URLs from executed macros.(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)"; | |
dcterms:modified "2021-03-19T21:04:01.269Z"^^xsd:dateTime . | |
:relationship--8f5e9158-1abe-4ed7-8a0a-df07f629aac8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--222ba512-32d9-49ac-aefd-50ce981ce2ce; | |
stix:target_ref :attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0; | |
dcterms:created "2020-05-21T21:31:34.306Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Pony](https://attack.mitre.org/software/S0453) has delayed execution using a built-in function to avoid detection and analysis.(Citation: Malwarebytes Pony April 2016)\t"; | |
dcterms:modified "2020-05-21T21:31:34.306Z"^^xsd:dateTime . | |
:relationship--d200ba08-8179-495e-a854-9b13be5c0f93 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1; | |
stix:target_ref :attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "A variant of [Emissary](https://attack.mitre.org/software/S0082) appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.(Citation: Emissary Trojan Feb 2016)"; | |
dcterms:modified "2021-08-27T14:42:00.385Z"^^xsd:dateTime . | |
:attack-pattern--43881e51-ac74-445b-b4c6-f9f9e9bf23fe | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Port Monitors"; | |
dcterms:created "2020-01-24T19:46:27.750Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\\Windows\\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors</code>. \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM."; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--0aac9510-f48a-4b28-ae0e-c6facc1635ae | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--effb83a0-ead1-4b36-b7f6-b7bdf9c4616e; | |
stix:target_ref :attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4; | |
dcterms:created "2017-05-31T21:33:27.027Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--13bc2a82-c51d-4410-9e62-223df287b8f7 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--cb741463-f0fe-42e0-8d45-bc7e8335f5ae; | |
stix:target_ref :attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c; | |
dcterms:created "2021-08-31T22:15:50.454Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Lokibot](https://attack.mitre.org/software/S0447) has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.(Citation: Talos Lokibot Jan 2021)"; | |
dcterms:modified "2021-09-15T21:10:13.154Z"^^xsd:dateTime . | |
:relationship--e4960a7a-c280-4356-8b03-b848c68acd05 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--36801ffb-5c85-4c50-9121-6122e389366d; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2022-08-07T15:05:05.004Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description " [Action RAT](https://attack.mitre.org/software/S1028) has the ability to collect the username from an infected host.(Citation: MalwareBytes SideCopy Dec 2021)"; | |
dcterms:modified "2022-08-15T20:28:15.292Z"^^xsd:dateTime . | |
:attack-pattern--9422fc14-1c43-410d-ab0f-a709b76c72dc | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Registry Run Keys / Startup Folder"; | |
dcterms:created "2017-05-31T21:30:49.988Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in.\n\nThe startup folder path for the current user is:\n* <code>C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup</code>\nThe startup folder path for all users is:\n* <code>C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp</code>\n\nThe following run keys are created by default on Windows systems:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n\nThe <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n\nThe following Registry keys can control automatic startup of services during boot:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit</code> and <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell</code> subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager</code> is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--701a2767-70f3-44f1-a397-9c04517ece67 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--9da16278-c6c5-4410-8a6b-9c16ce8005b3; | |
stix:target_ref :attack-pattern--2892b9ee-ca9f-4723-b332-0dc6e843a8ae; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--d8f14118-ba84-44b0-a0b6-ad2348e42906 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--dd889a55-fb2c-4ec7-8e9f-c399939a49e1; | |
stix:target_ref :attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41; | |
dcterms:created "2022-06-28T14:54:51.493Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "The [IceApple](https://attack.mitre.org/software/S1022) Result Retriever module can AES encrypt C2 responses.(Citation: CrowdStrike IceApple May 2022)"; | |
dcterms:modified "2022-06-28T14:54:51.493Z"^^xsd:dateTime . | |
:relationship--837b0603-61a3-4cfe-b5cd-4ea2d0ea34b9 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--310f437b-29e7-4844-848c-7220868d074a; | |
stix:target_ref :attack-pattern--9422fc14-1c43-410d-ab0f-a709b76c72dc; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "creates run key Registry entries pointing to a malicious executable dropped to disk."; | |
dcterms:modified "2018-10-23T00:14:20.652Z"^^xsd:dateTime . | |
:relationship--838b4a52-1360-4ca7-ab25-1b549508e687 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--ccd61dfc-b03f-4689-8c18-7c97eab08472; | |
stix:target_ref :attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "An older version of [CHOPSTICK](https://attack.mitre.org/software/S0023) has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.(Citation: ESET Sednit Part 2)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--ae1ee1dc-6017-4177-b34c-70db166a939e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8ae43c46-57ef-47d5-a77a-eebb35628db2; | |
stix:target_ref :attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Many strings in [JHUHUGIT](https://attack.mitre.org/software/S0044) are obfuscated with a XOR algorithm.(Citation: F-Secure Sofacy 2015)(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017)"; | |
dcterms:modified "2020-03-20T16:40:41.305Z"^^xsd:dateTime . | |
:relationship--feb29d58-b733-47a4-9d56-8d45b36f0978 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8; | |
stix:target_ref :attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754; | |
dcterms:created "2022-03-30T14:26:51.857Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file.\n\nCompare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)"; | |
dcterms:modified "2022-04-20T12:32:55.852Z"^^xsd:dateTime . | |
:relationship--104334fa-4d32-48ab-a55d-c481ce7c4cd3 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2; | |
stix:target_ref :attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada; | |
dcterms:created "2020-06-22T20:34:05.348Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Metamorfo](https://attack.mitre.org/software/S0455)'s C2 communication has been encrypted using OpenSSL.(Citation: Medium Metamorfo Apr 2020) "; | |
dcterms:modified "2020-10-22T01:34:58.157Z"^^xsd:dateTime . | |
:relationship--9df02934-ee06-4c63-8f27-00b88f615a26 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077; | |
stix:target_ref :attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d; | |
dcterms:created "2022-03-30T14:26:51.866Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor newly executed processes associated with running a virtual instance, such as those launched from binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V)."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6; | |
stix:target_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--70bed654-4c16-456a-8691-4f2bf1c916cc | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--425771c5-48b4-4ecd-9f95-74ed3fc9da59; | |
stix:target_ref :attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104; | |
dcterms:created "2021-05-26T15:09:52.202Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SombRAT](https://attack.mitre.org/software/S0615) can execute <code>getinfo</code> to identify the username on a compromised host.(Citation: BlackBerry CostaRicto November 2020)(Citation: CISA AR21-126A FIVEHANDS May 2021)"; | |
dcterms:modified "2021-06-08T13:29:06.848Z"^^xsd:dateTime . | |
:relationship--fb988651-2bb4-4169-be8e-14ab9c8ef483 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--e8242a33-481c-4891-af63-4cf3e4cf6aff; | |
stix:target_ref :attack-pattern--46944654-fcc1-4f63-9dad-628102376586; | |
dcterms:created "2019-06-24T13:35:27.794Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Disallow loading of remote DLLs. (Citation: Microsoft DLL Preloading) This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. (Citation: Microsoft DLL Search) Path Algorithm\n\nEnable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. <code>%SYSTEMROOT%</code>)to be used before local directory DLLs (e.g. a user's home directory)\n\nThe Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SafeDLLSearchMode</code> (Citation: Microsoft DLL Search)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--67e6b603-a45d-4cbc-9b3e-546392934f7f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--92b55426-109f-4d93-899f-1833ce91ff90; | |
stix:target_ref :attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Mosquito](https://attack.mitre.org/software/S0256) can modify Registry keys under <code>HKCU\\Software\\Microsoft\\[dllname]</code> to store configuration values. [Mosquito](https://attack.mitre.org/software/S0256) also modifies Registry keys under <code>HKCR\\CLSID\\...\\InprocServer32</code> with a path to the launcher.(Citation: ESET Turla Mosquito Jan 2018)"; | |
dcterms:modified "2023-03-26T19:21:13.970Z"^^xsd:dateTime . | |
:attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Steal or Forge Kerberos Tickets"; | |
dcterms:created "2020-02-11T19:12:46.830Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\n"; | |
dcterms:modified "2023-05-09T14:00:00.188Z"^^xsd:dateTime . | |
:attack-pattern--c23b740b-a42b-47a1-aec2-9d48ddd547ff | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Pass the Hash"; | |
dcterms:created "2017-05-31T21:30:59.339Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. \n\nWindows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c | |
rdf:type stix:Malware; | |
rdfs:label "RATANKBA"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RATANKBA](https://attack.mitre.org/software/S0241) is a remote controller tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [RATANKBA](https://attack.mitre.org/software/S0241) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://attack.mitre.org/software/S0241) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)"; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--57216102-21aa-402b-b306-79e1dd548716 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4; | |
stix:target_ref :tool--afc079f3-c0ea-4096-b75d-3f05338b7f60; | |
dcterms:created "2019-04-16T15:21:57.842Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: FireEye TRITON 2019)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--796f56ac-a97a-4038-a005-1523a185e059 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542; | |
stix:target_ref :attack-pattern--861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a; | |
dcterms:created "2021-04-16T21:33:50.813Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[APT29](https://attack.mitre.org/groups/G0016) has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.(Citation: Volexity SolarWinds)"; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--3e24f01c-3af8-4dde-9200-4f69fecb3156 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--b39d03cb-7b98-41c4-a878-c40c1a913dc0; | |
stix:target_ref :attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee; | |
dcterms:created "2020-02-11T20:35:32.284Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:malware--df350889-4de9-44e5-8cb3-888b8343e97c | |
rdf:type stix:Malware; | |
rdfs:label "metaMain"; | |
dcterms:created "2023-01-24T00:12:34.751Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[metaMain](https://attack.mitre.org/software/S1059) is a backdoor used by [Metador](https://attack.mitre.org/groups/G1013) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://attack.mitre.org/software/S1060) into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)"; | |
dcterms:modified "2023-04-05T14:09:42.670Z"^^xsd:dateTime . | |
:relationship--8c041b13-34d6-4da5-8a80-0dade355953d | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8; | |
stix:target_ref :attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7; | |
dcterms:created "2022-03-30T14:26:51.871Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.(Citation: SpectorOps Subverting Trust Sept 2017) Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure “Hide Microsoft Entries” and “Hide Windows Entries” are both deselected.(Citation: SpectorOps Subverting Trust Sept 2017)\n\nOn macOS, the removal of the <code>com.apple.quarantine</code> flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates."; | |
dcterms:modified "2022-03-30T14:26:51.871Z"^^xsd:dateTime . | |
:relationship--886aa8d9-b95e-4577-812a-f1ddcedbe70f | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8; | |
stix:target_ref :attack-pattern--04ef4356-8926-45e2-9441-634b6f3dcecb; | |
dcterms:created "2019-06-25T13:32:35.994Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\\u2019t included as part of an update, it should be investigated."; | |
dcterms:modified "2023-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--32478440-a1d2-458d-a749-e2d200415106 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192; | |
stix:target_ref :attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f; | |
dcterms:created "2020-11-25T22:46:47.381Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sandworm Team](https://attack.mitre.org/groups/G0034) has used stolen credentials to access administrative accounts within the domain.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Microsoft Prestige ransomware October 2022)"; | |
dcterms:modified "2023-01-20T18:40:35.934Z"^^xsd:dateTime . | |
:relationship--105a37da-145b-4143-8641-566350cd143c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192; | |
stix:target_ref :attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4; | |
dcterms:created "2020-11-25T22:46:47.615Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Sandworm Team](https://attack.mitre.org/groups/G0034) has scanned network infrastructure for vulnerabilities as part of its operational planning.(Citation: US District Court Indictment GRU Unit 74455 October 2020)"; | |
dcterms:modified "2020-11-25T22:46:47.615Z"^^xsd:dateTime . | |
:relationship--5c160f0c-1c12-4ab0-bd6e-a30f8d5bc168 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--b51797f7-57da-4210-b8ac-b8632ee75d70; | |
stix:target_ref :attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077; | |
dcterms:created "2020-06-11T20:08:11.417Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to determine local time on a compromised host.(Citation: Kaspersky TajMahal April 2019)"; | |
dcterms:modified "2020-06-11T20:08:11.417Z"^^xsd:dateTime . | |
:relationship--56f490de-51e8-47c4-9eae-ecdd1a55e6ef | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--b9f0c069-abbe-4a07-a245-2481219a1463; | |
stix:target_ref :attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6; | |
dcterms:created "2019-06-24T13:38:13.125Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.(Citation: Windows Blogs Microsoft Edge Sandbox)(Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.(Citation: Ars Technica Pwn2Own 2017 VM Escape)"; | |
dcterms:modified "2022-03-08T21:11:48.078Z"^^xsd:dateTime . | |
:relationship--9e60bb82-19b3-4e76-82f0-32b8b6e611ba | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c; | |
dcterms:created "2022-03-30T14:26:51.844Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--321e9302-b335-4f17-b03a-7782683d69f9 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca; | |
stix:target_ref :attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b; | |
dcterms:created "2021-10-01T01:57:31.556Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TeamTNT](https://attack.mitre.org/groups/G0139) has disabled <code>iptables</code>.(Citation: Aqua TeamTNT August 2020)"; | |
dcterms:modified "2021-10-01T01:57:31.556Z"^^xsd:dateTime . | |
:relationship--2c1758b2-6809-48f5-84f1-e82afa950a9f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2021-02-12T20:07:43.170Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[EKANS](https://attack.mitre.org/software/S0605) looks for processes from a hard-coded list.(Citation: Dragos EKANS)(Citation: FireEye Ransomware Feb 2020)(Citation: IBM Ransomware Trends September 2020)"; | |
dcterms:modified "2021-10-13T21:54:51.805Z"^^xsd:dateTime . | |
:relationship--de195a33-8461-4d6a-aa6a-cb2893904c66 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc; | |
stix:target_ref :attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416; | |
dcterms:created "2020-02-14T13:09:51.274Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--8f16cec3-2fba-4b69-a5c5-c3eb1f185e90 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--0a607c53-df52-45da-a75d-0e53df4dad5f; | |
stix:target_ref :attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579; | |
dcterms:created "2019-07-29T14:58:44.928Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RobbinHood](https://attack.mitre.org/software/S0400) will search for Windows services that are associated with antivirus software on the system and kill the process.(Citation: CarbonBlack RobbinHood May 2019) "; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--d8f5283b-fe44-4206-8a7d-393d216beb7e | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9; | |
stix:target_ref :attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[TinyZBot](https://attack.mitre.org/software/S0004) contains keylogger functionality.(Citation: Cylance Cleaver)"; | |
dcterms:modified "2022-07-22T18:37:22.206Z"^^xsd:dateTime . | |
:relationship--6337cf38-4b52-4e3d-a63e-670e077ec52f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2020-08-27T21:22:39.805Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Chimera](https://attack.mitre.org/groups/G0114) has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)\t"; | |
dcterms:modified "2023-02-06T18:11:56.973Z"^^xsd:dateTime . | |
:relationship--b736ab77-4dd6-4c80-8b8a-d15446436e0e | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312; | |
stix:target_ref :attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001; | |
dcterms:created "2021-06-17T18:49:50.117Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Ensure IIS DLLs and binaries are signed by the correct application developers."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--dfd24960-6b7e-4fab-bb84-2fc2ed4fc772 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--295721d2-ee20-4fa3-ade3-37f4146b4570; | |
stix:target_ref :attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662; | |
dcterms:created "2021-06-11T16:51:49.284Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[AppleSeed](https://attack.mitre.org/software/S0622) can zip and encrypt data collected on a target system.(Citation: Malwarebytes Kimsuky June 2021)"; | |
dcterms:modified "2021-06-11T16:56:08.706Z"^^xsd:dateTime . | |
:relationship--bec1b07a-6a67-469e-8b87-246e950d86b2 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--a7b5df47-73bb-4d47-b701-869f185633a6; | |
stix:target_ref :attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736; | |
dcterms:created "2022-03-25T14:32:35.645Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Donut](https://attack.mitre.org/software/S0695) can generate shellcode outputs that execute via PowerShell.(Citation: Donut Github)\t"; | |
dcterms:modified "2022-04-18T16:25:46.715Z"^^xsd:dateTime . | |
:relationship--a8fef3c0-796a-4995-81fe-c47336c3ddbd | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034; | |
stix:target_ref :attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0; | |
dcterms:created "2022-09-02T19:19:17.187Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Earth Lusca](https://attack.mitre.org/groups/G1006) has acquired and used a variety of open source tools.(Citation: TrendMicro EarthLusca 2022)"; | |
dcterms:modified "2022-09-02T19:19:17.187Z"^^xsd:dateTime . | |
:relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--46421788-b6e1-4256-b351-f8beffd1afba; | |
stix:target_ref :malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4; | |
dcterms:created "2023-09-27T13:22:13.265Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Booz Allen Hamilton)"; | |
dcterms:modified "2023-09-27T13:25:51.965Z"^^xsd:dateTime . | |
:relationship--c1fc2403-6cea-40ca-a5ba-82296600988c | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--99854cc8-f202-4e03-aa0a-4f8a4af93229; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2022-06-10T20:16:48.015Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Shark](https://attack.mitre.org/software/S1019) has the ability to use HTTP in C2 communications.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)"; | |
dcterms:modified "2022-06-16T14:11:03.646Z"^^xsd:dateTime . | |
:attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490 | |
rdf:type d3f:OffensiveTechnique; | |
rdfs:label "Dylib Hijacking"; | |
dcterms:created "2020-03-16T15:23:30.896Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)"; | |
dcterms:modified "2023-10-31T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--ec0ffb41-2adb-4416-8869-5b99e61615c2 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06; | |
stix:target_ref :attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62; | |
dcterms:created "2019-06-07T16:34:21.076Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Ixeshe](https://attack.mitre.org/software/S0015) is capable of executing commands via [cmd](https://attack.mitre.org/software/S0106).(Citation: Trend Micro IXESHE 2012)"; | |
dcterms:modified "2020-03-20T02:19:48.807Z"^^xsd:dateTime . | |
:relationship--90eb6858-e561-4ed0-855b-f9afbe3ac394 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--47afe41c-4c08-485e-b062-c3bd209a1cce; | |
stix:target_ref :attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d; | |
dcterms:created "2020-07-16T15:24:32.836Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[InvisiMole](https://attack.mitre.org/software/S0260) can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.(Citation: ESET InvisiMole June 2020)"; | |
dcterms:modified "2020-07-17T20:14:44.600Z"^^xsd:dateTime . | |
:relationship--a18f1daf-1eed-4e33-8107-76f136925742 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1; | |
stix:target_ref :attack-pattern--ea4c2f9c-9df1-477c-8c42-6da1118f2ac4; | |
dcterms:created "2022-08-22T20:47:21.282Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated API function calls. Dynamic malware analysis may also expose signs of function obfuscation, such as memory reads that correspond to addresses of API function code within modules.(Citation: BlackHat API Packers)"; | |
dcterms:modified "2022-08-23T18:18:16.846Z"^^xsd:dateTime . | |
:relationship--b80516ee-1635-43da-babf-201d9f76c1d8 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77; | |
stix:target_ref :attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[QUADAGENT](https://attack.mitre.org/software/S0269) has a command to delete its Registry key and scheduled task.(Citation: Unit 42 QUADAGENT July 2018)"; | |
dcterms:modified "2020-03-17T02:18:35.267Z"^^xsd:dateTime . | |
:relationship--02462741-4148-48b3-881b-1b813ce62fcc | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542; | |
stix:target_ref :malware--ae9d818d-95d0-41da-b045-9cabea1ca164; | |
dcterms:created "2017-05-31T21:33:27.050Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: F-Secure The Dukes)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--4b66e057-adbc-498d-99ee-156e0d17bd53 | |
rdf:type stix:Relationship; | |
stix:source_ref :campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b; | |
stix:target_ref :intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a; | |
dcterms:created "2023-03-17T13:51:05.665Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)(Citation: ESET Lazarus Jun 2020)"; | |
dcterms:modified "2023-03-17T13:51:05.665Z"^^xsd:dateTime . | |
:relationship--9d9b0e66-5b9d-4711-8e5a-23e2807ce7ef | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--47124daf-44be-4530-9c63-038bc64318dd; | |
stix:target_ref :attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939; | |
dcterms:created "2020-09-24T13:19:42.696Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[RegDuke](https://attack.mitre.org/software/S0511) can store its encryption key in the Registry.(Citation: ESET Dukes October 2019)"; | |
dcterms:modified "2023-03-24T21:26:03.567Z"^^xsd:dateTime . | |
:relationship--23d2aa8e-0b95-4714-8b76-b1a0735ffdeb | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--feb2d7bb-aacb-48df-ad04-ccf41a30cd90; | |
stix:target_ref :attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161; | |
dcterms:created "2020-11-19T18:02:58.410Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has used HTTP and HTTPS for C2 communications.(Citation: CISA MAR SLOTHFULMEDIA October 2020)"; | |
dcterms:modified "2020-11-19T18:02:58.410Z"^^xsd:dateTime . | |
:relationship--c336d7c6-0876-445c-8197-924eae28bc16 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034; | |
stix:target_ref :tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf; | |
dcterms:created "2022-09-09T16:20:10.948Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: TrendMicro EarthLusca 2022)"; | |
dcterms:modified "2022-09-09T16:20:10.948Z"^^xsd:dateTime . | |
:relationship--fd518b7a-b35d-4689-89f6-525efbeee18f | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d; | |
stix:target_ref :tool--cf23bf4a-e003-4116-bbae-1ea6c558d565; | |
dcterms:created "2018-01-16T16:13:52.465Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Palo Alto OilRig Oct 2016)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--a9bf9268-1c45-4293-a5c2-c493556ad546 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--f36b2598-515f-4345-84e5-5ccde253edbe; | |
stix:target_ref :attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dok](https://attack.mitre.org/software/S0281) downloads and installs [Tor](https://attack.mitre.org/software/S0183) via homebrew.(Citation: objsee mac malware 2017)"; | |
dcterms:modified "2021-10-09T19:14:07.283Z"^^xsd:dateTime . | |
:relationship--48c4d56e-e282-4810-b974-6a325b7d130d | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317; | |
stix:target_ref :attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba; | |
dcterms:created "2020-01-17T19:23:15.412Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons."; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--1896ca51-adf4-4a3b-be89-1aae18465741 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1; | |
stix:target_ref :attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81; | |
dcterms:created "2021-12-07T15:04:35.808Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Dragonfly](https://attack.mitre.org/groups/G0035) has compromised user credentials and used valid accounts for operations.(Citation: US-CERT TA18-074A)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)"; | |
dcterms:modified "2021-12-10T14:18:11.856Z"^^xsd:dateTime . | |
:relationship--de0ee6e1-6b97-40be-b036-5339db13e6e4 | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--20945359-3b39-4542-85ef-08ecb4e1c174; | |
stix:target_ref :attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580; | |
dcterms:created "2020-07-27T17:47:34.029Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[StrongPity](https://attack.mitre.org/software/S0491) can determine if a user is logged in by checking to see if explorer.exe is running.(Citation: Talos Promethium June 2020)"; | |
dcterms:modified "2020-07-27T17:47:34.029Z"^^xsd:dateTime . | |
:relationship--97ff5931-f27f-4774-b595-312f5771f91a | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--b1de6916-7a22-4460-8d26-6b5483ffaa2a; | |
stix:target_ref :attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179; | |
dcterms:created "2017-12-14T16:46:06.044Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[SHIPSHAPE](https://attack.mitre.org/software/S0028) achieves persistence by creating a shortcut in the Startup folder.(Citation: FireEye APT30)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:relationship--15fb0728-9973-4ce4-b0d9-2c177be952c7 | |
rdf:type stix:Relationship; | |
stix:source_ref :attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b; | |
stix:target_ref :attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529; | |
dcterms:created "2020-02-21T21:00:49.032Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:modified "2022-04-25T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--5f402d02-94f9-49de-b097-2d89c59de394 | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c; | |
stix:target_ref :malware--d20b397a-ea47-48a9-b503-2e2a3551e11d; | |
dcterms:created "2019-01-30T19:06:33.901Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)"; | |
dcterms:modified "2020-03-20T16:37:06.707Z"^^xsd:dateTime . | |
:relationship--73c6ad27-074a-437d-82ec-39592b783160 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--b9f0c069-abbe-4a07-a245-2481219a1463; | |
stix:target_ref :attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d; | |
dcterms:created "2020-03-09T13:13:24.024Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)"; | |
dcterms:modified "2022-03-11T20:14:42.487Z"^^xsd:dateTime . | |
:relationship--fd8fa359-c13e-4641-9c3e-d03218daee0c | |
rdf:type stix:Relationship; | |
stix:source_ref :intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050; | |
stix:target_ref :malware--3161d76a-e2b2-4b97-9906-24909b735386; | |
dcterms:created "2020-05-26T20:37:19.548Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "(Citation: CheckPoint Naikon May 2020)(Citation: Bitdefender Naikon April 2021)"; | |
dcterms:modified "2021-06-29T14:37:02.738Z"^^xsd:dateTime . | |
:relationship--29a6afc7-f051-4c26-b6a2-cad09c73180f | |
rdf:type stix:Relationship; | |
stix:source_ref :malware--da2ef4a9-7cbe-400a-a379-e2f230f28db3; | |
stix:target_ref :attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04; | |
dcterms:created "2020-06-29T01:35:30.267Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[BOOTRASH](https://attack.mitre.org/software/S0114) has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit.(Citation: FireEye Bootkits)"; | |
dcterms:modified "2020-06-29T01:35:30.267Z"^^xsd:dateTime . | |
:relationship--295b6c01-1a79-4fd9-b3a1-010affcc3c88 | |
rdf:type stix:Relationship; | |
stix:source_ref :x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0; | |
stix:target_ref :attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688; | |
dcterms:created "2022-03-30T14:26:51.868Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation."; | |
dcterms:modified "2022-05-24T14:00:00.188Z"^^xsd:dateTime . | |
:relationship--ced175fd-1f27-44cb-8d7f-44277b1754e4 | |
rdf:type stix:Relationship; | |
stix:source_ref :tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5; | |
stix:target_ref :attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c; | |
dcterms:created "2018-04-18T17:59:24.739Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[Havij](https://attack.mitre.org/software/S0224) is used to automate SQL injection.(Citation: Check Point Havij Analysis)"; | |
dcterms:modified "2020-03-31T14:49:39.188Z"^^xsd:dateTime . | |
:course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774beef6425 | |
rdf:type stix:CourseOfAction; | |
rdfs:label "Account Manipulation Mitigation"; | |
dcterms:created "2018-10-17T00:14:20.652Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Use multifactor authentication. Follow guidelines to prevent or limit adversary access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nProtect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems."; | |
dcterms:modified "2019-07-24T14:04:18.461Z"^^xsd:dateTime . | |
:relationship--7a1cf82e-68e5-49ca-89ae-e492cd85dab4 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0; | |
stix:target_ref :attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff; | |
dcterms:created "2019-10-14T16:25:38.680Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.(Citation: Evilginx 2 July 2018)"; | |
dcterms:modified "2021-07-28T01:26:52.229Z"^^xsd:dateTime . | |
:tool--c11ac61d-50f4-444f-85d8-6f006067f0de | |
rdf:type stix:Tool; | |
rdfs:label "route"; | |
dcterms:created "2017-05-31T21:33:04.151Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)"; | |
dcterms:modified "2022-05-11T14:00:00.188Z"^^xsd:dateTime . | |
:malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b | |
rdf:type stix:Malware; | |
rdfs:label "HDoor"; | |
dcterms:created "2017-05-31T21:32:40.801Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)"; | |
dcterms:modified "2023-04-04T20:20:59.961Z"^^xsd:dateTime . | |
:relationship--a0a004fe-2636-4f6d-85c7-2401768252a2 | |
rdf:type stix:Relationship; | |
stix:source_ref :course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c; | |
stix:target_ref :attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd; | |
dcterms:created "2019-06-24T12:03:02.500Z"^^xsd:dateTime; | |
dcterms:creator :identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5; | |
dcterms:description "Network intrusion detection and preventi |
hey you know fuck. you GitHub you people have stolen over 10 years of my crypto there is no attack you dumb you are being used like the ones before you, so they stole millions from me and created git coins
that's what GitHub want you to believe. i will not play this fake attack attack attack bull shit fuck off
?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hey you know fuck. you GitHub you people have stolen over 10 years of my crypto there is no attack you dumb you are being used like the ones before you, so they stole millions from me and created git coins
that's what GitHub want you to believe. i will not play this fake attack attack attack bull shit fuck off